mysql2, IAM auth

mwunderl · mwunderl · commit c87438f5c3bc · 2020-05-15T11:46:32.000-07:00
diff --git a/sample-apps/rds-mysql/5-create-dbtable.sh b/sample-apps/rds-mysql/5-create-dbtable.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
 set -eo pipefail
-FUNCTION=$(aws cloudformation describe-stack-resource --stack-name rds-mysql --logical-resource-id dbadmin --query 'StackResourceDetail.PhysicalResourceId' --output text)
+FUNCTION=$(aws cloudformation describe-stack-resource --stack-name rds-mysql --logical-resource-id function --query 'StackResourceDetail.PhysicalResourceId' --output text)
 aws lambda invoke --function-name $FUNCTION --payload file://events/db-create-table.json out.json
diff --git a/sample-apps/rds-mysql/6-invoke.sh b/sample-apps/rds-mysql/6-invoke.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 set -eo pipefail
-FUNCTION=$(aws cloudformation describe-stack-resource --stack-name rds-mysql --logical-resource-id dbadmin --query 'StackResourceDetail.PhysicalResourceId' --output text)
+FUNCTION=$(aws cloudformation describe-stack-resource --stack-name rds-mysql --logical-resource-id function --query 'StackResourceDetail.PhysicalResourceId' --output text)
 
 while true; do
   aws lambda invoke --function-name $FUNCTION --payload file://events/db-read-table.json out.json
diff --git a/sample-apps/rds-mysql/README.md b/sample-apps/rds-mysql/README.md
@@ -110,6 +110,12 @@ Finally, view the application in the Lambda console.
 
   ![Application](/sample-apps/rds-mysql/images/rdsmysql-application.png)
 
+# Use IAM authorization with a database proxy
+
+This application includes a second handler that uses the function's credentials to authenticate ([index-iam.js](/sample-apps/rds-mysql/dbadmin/index-iam.js)). You can use this method to connect to an RDS Proxy without configuring the function with a database password.
+
+For more information, see [Configuring database access](https://docs.aws.amazon.com/lambda/latest/dg/configuration-database.html) in the AWS Lambda Developer Guide.
+
 # Cleanup
 
 To delete the application, run the cleanup script.
diff --git a/sample-apps/rds-mysql/dbadmin/index-iam.js b/sample-apps/rds-mysql/dbadmin/index-iam.js
@@ -0,0 +1,49 @@
+const AWSXRay = require('aws-xray-sdk-core')
+const captureMySQL = require('aws-xray-sdk-mysql')
+const mysql = captureMySQL(require('mysql2'))
+const AWS = require('aws-sdk')
+const username = process.env.databaseUser
+const host = process.env.databaseHost
+const database = process.env.databaseName
+const region = process.env.AWS_REGION
+const sqlport = 3306
+
+const signer = new AWS.RDS.Signer({
+  region: region,
+  hostname: host,
+  port: sqlport,
+  username: username
+})
+
+exports.handler = async (event) => {
+  let connectionConfig = {
+    host     : host,
+    user     : username,
+    database : database,
+    ssl: 'Amazon RDS',
+    authPlugins: { mysql_clear_password: () => () => signer.getAuthToken() }
+  }
+  var connection = mysql.createConnection(connectionConfig)
+  var query = event.query
+  var result
+  connection.connect()
+
+  connection.query(query, function (error, results, fields) {
+    if (error) throw error
+    console.log("Ran query: " + query)
+    for (result in results)
+      console.log(results[result])
+  })
+
+  return new Promise( ( resolve, reject ) => {
+    connection.end( err => {
+      if ( err )
+        return reject( err )
+      const response = {
+        statusCode: 200,
+        body: JSON.stringify(result),
+      }
+      resolve(response)
+    })
+  })
+}
diff --git a/sample-apps/rds-mysql/dbadmin/index.js b/sample-apps/rds-mysql/dbadmin/index.js
@@ -1,6 +1,6 @@
 var AWSXRay = require('aws-xray-sdk-core')
 var captureMySQL = require('aws-xray-sdk-mysql')
-var mysql = captureMySQL(require('mysql'))
+var mysql = captureMySQL(require('mysql2'))
 const username = process.env.databaseUser
 const password = process.env.databasePassword
 const host = process.env.databaseHost
diff --git a/sample-apps/rds-mysql/dbadmin/package.json b/sample-apps/rds-mysql/dbadmin/package.json
diff --git a/sample-apps/rds-mysql/lib/nodejs/package.json b/sample-apps/rds-mysql/lib/nodejs/package.json
@@ -6,7 +6,7 @@
     "aws-xray-sdk-core": "2.4.0",
     "aws-xray-sdk-mysql": "2.4.0",
     "md5": "2.2.1",
-    "mysql": "2.17.1"
+    "mysql2": "2.1.0"
   },
   "scripts": {}
 }
diff --git a/sample-apps/rds-mysql/template.yml b/sample-apps/rds-mysql/template.yml
@@ -48,14 +48,40 @@ Resources:
       CompatibleRuntimes:
         - nodejs10.x
         - nodejs12.x
-  dbadmin:
+  function:
     Type: AWS::Serverless::Function
     Properties:
       CodeUri: dbadmin/.
       Description: Run SQL queries.
       MemorySize: 128
       Timeout: 15
       # Function's execution role
+      Role: !GetAtt role.Arn
+  role:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          -
+            Effect: Allow
+            Principal:
+              Service:
+                - lambda.amazonaws.com
+            Action:
+              - sts:AssumeRole
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaRole
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
       Policies:
-        - AWSLambdaBasicExecutionRole
-        - AWSLambdaVPCAccessExecutionRole
+        - PolicyName: rds-iamauth
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action: 'rds-db:connect'
+                Resource: '*'
+      Path: /service-role/
+

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@`
`6`	`6`	`"aws-xray-sdk-core": "2.4.0",`
`7`	`7`	`"aws-xray-sdk-mysql": "2.4.0",`
`8`	`8`	`"md5": "2.2.1",`
`9`		`- "mysql": "2.17.1"`
	`9`	`+ "mysql2": "2.1.0"`
`10`	`10`	`},`
`11`	`11`	`"scripts": {}`
`12`	`12`	`}`