Skip to content

Platform: IAM auth token generation for per-app DB credentials #19

Description

@I-am-nothing

Summary

api-applications must generate per-invocation IAM auth tokens scoped to each (module, app) pair.

Context

The SDK now supports per-invocation credential injection via LambdaRequest.Credential. The platform side needs to generate these credentials.

Scope

  • api-applications generates rds.GenerateDBAuthToken() per (module, app) before Lambda Invoke
  • Token is scoped to role mod_{moduleId}__app_{appPublicId}
  • Token injected into LambdaRequest.Credential field
  • Remove DATABASE_URL from module Lambda environment variables
  • Enable IAM authentication on Aurora cluster

Implementation

// In api-applications module proxy
dbUser := fmt.Sprintf("mod_%s__app_%s", moduleID, app.PublicID)
token, _ := rdsAuth.GenerateToken(ctx, auroraEndpoint, region, dbUser)
// Include in Lambda Invoke payload as credential field

IAM token generation is local SigV4 signing (<5ms, no network call).

Blocked by

  • Aurora IAM auth must be enabled (infra)
  • SDK credential injection support (done — LambdaRequest.Credential)

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions