Add aws_rds_iam_token utlity module for creating rds iam tokens for a…

…uthenticating over IAM towards RDS or Aurora
aws-beam · Sep 20, 2024 · e126c69 · e126c69
1 parent 993ca75
commit e126c69
Showing 1 changed file with 44 additions and 0 deletions.
diff --git a/src/aws_rds_iam_token.erl b/src/aws_rds_iam_token.erl
@@ -0,0 +1,44 @@
+-module(aws_rds_iam_token).
+-export([create/4]).
+
+-define(SIGNING_ID, <<"rds-db">>).
+-define(EMPTY_PAYLOAD_HASH, <<"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855">>).
+
+%%====================================================================
+%% API
+%%====================================================================
+create(Client, DbEndpoint, DbPort, DbUser) ->
+  Method = <<"GET">>,
+  QueryParams = [{<<"Action">>, <<"connect">>}, {<<"DBUser">>, DbUser}],
+  Endpoint = <<"https://", DbEndpoint/binary, ":", (integer_to_binary(DbPort))/binary>>,
+  Url = aws_request:add_query(Endpoint, QueryParams),
+  AccessKeyID = aws_client:access_key_id(Client),
+  SecurityToken = aws_client:token(Client),
+  SecretAccessKey = aws_client:secret_access_key(Client),
+  Region = aws_client:region(Client),
+  Now = calendar:universal_time(),
+  Options0 = [ {ttl, timer:minutes(15) div 1000} %% Time in seconds
+             , {body_digest, ?EMPTY_PAYLOAD_HASH}
+             , {uri_encode_path, false} %% We already encode in build_path/4
+             ],
+  Options = case SecurityToken of
+    undefined ->
+      Options0;
+    _ ->
+      [{session_token, hackney_url:urlencode(SecurityToken)} | Options0]
+  end,
+  <<"https://", SignedUrl/binary>> = aws_signature:sign_v4_query_params(AccessKeyID, SecretAccessKey, Region, ?SIGNING_ID, Now, Method, Url, Options),
+  {ok, SignedUrl}.
+
+%%====================================================================
+%% Unit tests
+%%====================================================================
+
+-ifdef(TEST).
+
+-include_lib("eunit/include/eunit.hrl").
+
+fetch_auth_token_test() ->
+  ok.
+
+-endif.