Summary
api-applications must generate per-invocation IAM auth tokens scoped to each (module, app) pair.
Context
The SDK now supports per-invocation credential injection via LambdaRequest.Credential. The platform side needs to generate these credentials.
Scope
api-applications generates rds.GenerateDBAuthToken() per (module, app) before Lambda Invoke
- Token is scoped to role
mod_{moduleId}__app_{appPublicId}
- Token injected into
LambdaRequest.Credential field
- Remove
DATABASE_URL from module Lambda environment variables
- Enable IAM authentication on Aurora cluster
Implementation
// In api-applications module proxy
dbUser := fmt.Sprintf("mod_%s__app_%s", moduleID, app.PublicID)
token, _ := rdsAuth.GenerateToken(ctx, auroraEndpoint, region, dbUser)
// Include in Lambda Invoke payload as credential field
IAM token generation is local SigV4 signing (<5ms, no network call).
Blocked by
- Aurora IAM auth must be enabled (infra)
- SDK credential injection support (done —
LambdaRequest.Credential)
Summary
api-applications must generate per-invocation IAM auth tokens scoped to each (module, app) pair.
Context
The SDK now supports per-invocation credential injection via
LambdaRequest.Credential. The platform side needs to generate these credentials.Scope
api-applicationsgeneratesrds.GenerateDBAuthToken()per (module, app) before Lambda Invokemod_{moduleId}__app_{appPublicId}LambdaRequest.CredentialfieldDATABASE_URLfrom module Lambda environment variablesImplementation
IAM token generation is local SigV4 signing (<5ms, no network call).
Blocked by
LambdaRequest.Credential)