From dd9dc81f1421aecacc00f979230eb6ebe3c15056 Mon Sep 17 00:00:00 2001 From: pablodanswer Date: Sun, 15 Dec 2024 13:14:11 -0800 Subject: [PATCH 1/4] add iam auth --- production/aws/eks.mdx | 123 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 123 insertions(+) diff --git a/production/aws/eks.mdx b/production/aws/eks.mdx index 1c8fefaa..74c428ea 100644 --- a/production/aws/eks.mdx +++ b/production/aws/eks.mdx @@ -131,3 +131,126 @@ You can navigate find the nginx load balancer by running the following command a ```shell kubectl get svc -n onyx | grep nginx-service | awk '{print $4}' ``` + +# Move Somewhere Else Later + +Below is an updated, step-by-step summary incorporating all necessary steps, including environment variables, SSL configuration, and the CA bundle for Aurora PostgreSQL IAM authentication: + +--- + +### 1. Enable IAM Auth on the Aurora Cluster + +In the RDS console, modify your Aurora cluster and enable **"IAM database authentication."** + +### 2. Create and Configure a Database User + +Connect with your master user (using the master password or IAM auth for the master user) and run: + +```sql +CREATE ROLE mydbuser LOGIN; +GRANT rds_iam TO mydbuser; +ALTER ROLE mydbuser WITH NOPASSWORD; +``` + +This configures `mydbuser` to use IAM authentication rather than a static password. + +### 3. Retrieve the Cluster Resource ID + +Run: + +```bash +aws rds describe-db-clusters --db-cluster-identifier --region +``` + +From the output, note the `"DbClusterResourceId"` value. + +### 4. Create or Update an IAM Policy for `rds-db:connect` + +Attach a policy to the IAM principal (user or role) that you’ll use for connecting: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "rds-db:connect", + "Resource": "arn:aws:rds-db:::dbuser:/mydbuser" + } + ] +} +``` + +Replace ``, ``, ``, and `mydbuser` with your actual values. + +### 5. Obtain the RDS CA Certificate Bundle + +Download the RDS CA certificate bundle for your region. For example, from the AWS docs you can get `rds-combined-ca-bundle.pem` or region-specific bundles such as `us-east-2-bundle.pem`. +Save it locally, e.g.: + +``` +us-east-2-bundle.pem +``` + +This is required to verify the SSL connection to the database. + +### 6. Generate a Short-Lived IAM Auth Token + +Use the AWS CLI to generate the token: + +```bash +TOKEN=$(aws rds generate-db-auth-token \ + --hostname \ + --port 5432 \ + --username mydbuser \ + --region ) +``` + +### 7. Set Environment Variables for Your Application + +If using a code-based solution (e.g., SQLAlchemy), set environment variables to configure IAM auth and SSL: + +```bash +export USE_IAM_AUTH=true +export AWS_REGION="" # matches your Aurora cluster's region +export POSTGRES_HOST="" +export POSTGRES_PORT="5432" +export POSTGRES_DB="" +export POSTGRES_USER="mydbuser" + +# If using IAM roles or AWS credentials: +export AWS_ACCESS_KEY_ID="" +export AWS_SECRET_ACCESS_KEY="" +# If using STS temporary credentials: +# export AWS_SESSION_TOKEN="" + +# Provide the CA bundle for SSL verification. +# Your code should reference this file to create an SSL context. +# Ensure the file is accessible (correct path and permissions). +``` + +Your code should then load these environment variables, use `USE_IAM_AUTH=true` to trigger token-based authentication, and configure SSL using the provided CA bundle. + +### 8. Connect Using psql with IAM Auth Manually (Optional Check) + +If you'd like to test connectivity directly before running your code: + +```bash +psql "host= port=5432 dbname= user=mydbuser sslmode=require password=$TOKEN" +``` + +This should prompt no password errors and allow a secure, verified SSL connection to Aurora using your short-lived IAM token. + +### 9. Ensure Proper Permissions and Migration Steps (If Needed) + +- If running migrations (e.g., Alembic), ensure that `mydbuser` has the necessary permissions: + ```sql + GRANT CREATE ON DATABASE TO mydbuser; + GRANT USAGE ON SCHEMA public TO mydbuser; + GRANT CREATE ON SCHEMA public TO mydbuser; + ``` +- Confirm you're using `sslmode=require` for synchronous connections with `psycopg2`. For asynchronous connections using `asyncpg`, provide an `ssl.SSLContext` created from the CA bundle. + +--- + +If all steps are followed correctly—enabling IAM, configuring the database user and IAM policy, setting environment variables, and using the CA bundle for SSL—IAM authentication with Aurora PostgreSQL should succeed, allowing secure, passwordless (but token-based) authentication for your application. From 3577c92424c90305b88e63dc51e050ee25d95d8b Mon Sep 17 00:00:00 2001 From: pablodanswer Date: Sun, 15 Dec 2024 17:29:06 -0800 Subject: [PATCH 2/4] k --- production/aws/eks.mdx | 123 ----------------------------- production/aws/rds.mdx | 173 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 173 insertions(+), 123 deletions(-) create mode 100644 production/aws/rds.mdx diff --git a/production/aws/eks.mdx b/production/aws/eks.mdx index 74c428ea..1c8fefaa 100644 --- a/production/aws/eks.mdx +++ b/production/aws/eks.mdx @@ -131,126 +131,3 @@ You can navigate find the nginx load balancer by running the following command a ```shell kubectl get svc -n onyx | grep nginx-service | awk '{print $4}' ``` - -# Move Somewhere Else Later - -Below is an updated, step-by-step summary incorporating all necessary steps, including environment variables, SSL configuration, and the CA bundle for Aurora PostgreSQL IAM authentication: - ---- - -### 1. Enable IAM Auth on the Aurora Cluster - -In the RDS console, modify your Aurora cluster and enable **"IAM database authentication."** - -### 2. Create and Configure a Database User - -Connect with your master user (using the master password or IAM auth for the master user) and run: - -```sql -CREATE ROLE mydbuser LOGIN; -GRANT rds_iam TO mydbuser; -ALTER ROLE mydbuser WITH NOPASSWORD; -``` - -This configures `mydbuser` to use IAM authentication rather than a static password. - -### 3. Retrieve the Cluster Resource ID - -Run: - -```bash -aws rds describe-db-clusters --db-cluster-identifier --region -``` - -From the output, note the `"DbClusterResourceId"` value. - -### 4. Create or Update an IAM Policy for `rds-db:connect` - -Attach a policy to the IAM principal (user or role) that you’ll use for connecting: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "rds-db:connect", - "Resource": "arn:aws:rds-db:::dbuser:/mydbuser" - } - ] -} -``` - -Replace ``, ``, ``, and `mydbuser` with your actual values. - -### 5. Obtain the RDS CA Certificate Bundle - -Download the RDS CA certificate bundle for your region. For example, from the AWS docs you can get `rds-combined-ca-bundle.pem` or region-specific bundles such as `us-east-2-bundle.pem`. -Save it locally, e.g.: - -``` -us-east-2-bundle.pem -``` - -This is required to verify the SSL connection to the database. - -### 6. Generate a Short-Lived IAM Auth Token - -Use the AWS CLI to generate the token: - -```bash -TOKEN=$(aws rds generate-db-auth-token \ - --hostname \ - --port 5432 \ - --username mydbuser \ - --region ) -``` - -### 7. Set Environment Variables for Your Application - -If using a code-based solution (e.g., SQLAlchemy), set environment variables to configure IAM auth and SSL: - -```bash -export USE_IAM_AUTH=true -export AWS_REGION="" # matches your Aurora cluster's region -export POSTGRES_HOST="" -export POSTGRES_PORT="5432" -export POSTGRES_DB="" -export POSTGRES_USER="mydbuser" - -# If using IAM roles or AWS credentials: -export AWS_ACCESS_KEY_ID="" -export AWS_SECRET_ACCESS_KEY="" -# If using STS temporary credentials: -# export AWS_SESSION_TOKEN="" - -# Provide the CA bundle for SSL verification. -# Your code should reference this file to create an SSL context. -# Ensure the file is accessible (correct path and permissions). -``` - -Your code should then load these environment variables, use `USE_IAM_AUTH=true` to trigger token-based authentication, and configure SSL using the provided CA bundle. - -### 8. Connect Using psql with IAM Auth Manually (Optional Check) - -If you'd like to test connectivity directly before running your code: - -```bash -psql "host= port=5432 dbname= user=mydbuser sslmode=require password=$TOKEN" -``` - -This should prompt no password errors and allow a secure, verified SSL connection to Aurora using your short-lived IAM token. - -### 9. Ensure Proper Permissions and Migration Steps (If Needed) - -- If running migrations (e.g., Alembic), ensure that `mydbuser` has the necessary permissions: - ```sql - GRANT CREATE ON DATABASE TO mydbuser; - GRANT USAGE ON SCHEMA public TO mydbuser; - GRANT CREATE ON SCHEMA public TO mydbuser; - ``` -- Confirm you're using `sslmode=require` for synchronous connections with `psycopg2`. For asynchronous connections using `asyncpg`, provide an `ssl.SSLContext` created from the CA bundle. - ---- - -If all steps are followed correctly—enabling IAM, configuring the database user and IAM policy, setting environment variables, and using the CA bundle for SSL—IAM authentication with Aurora PostgreSQL should succeed, allowing secure, passwordless (but token-based) authentication for your application. diff --git a/production/aws/rds.mdx b/production/aws/rds.mdx new file mode 100644 index 00000000..4f334eb5 --- /dev/null +++ b/production/aws/rds.mdx @@ -0,0 +1,173 @@ +## Setting Up Amazon Aurora PostgreSQL + +Follow these steps to set up an Amazon Aurora PostgreSQL cluster with basic configuration. + +### 1. Create an Aurora PostgreSQL Cluster + +- Navigate to the **Amazon RDS** console. +- Click on **Create database**. +- Select **Amazon Aurora** as the engine type. +- Choose **Aurora PostgreSQL-Compatible Edition**. +- Select the desired **PostgreSQL version**. +- Configure the **DB cluster identifier**, **Master username**, and **Master password**. +- Choose the appropriate **Instance size**, **VPC**, **Subnet group**, **Security group**, and **Availability Zone** as per your requirements. +- Adjust any additional settings such as backups, maintenance windows, and encryption if needed. +- Review your configurations and click **Create database** to launch the cluster. + +### 2. Configure Database Settings (Optional) + +- Modify any advanced settings if necessary. +- Ensure that your cluster meets your application's requirements. + +--- + +## Enabling IAM Authentication for Aurora PostgreSQL + +After setting up your Aurora PostgreSQL cluster, you can enable IAM authentication to enhance security by using AWS IAM credentials for database access. + +### 1. Enable IAM Database Authentication + +- Navigate to your Aurora cluster in the RDS console. +- Click on **Modify**. +- In the **Database authentication** section, enable **IAM database authentication**. +- Click **Continue** and then **Apply immediately** to save changes. + +### 2. Create and Configure a Database User + +Connect to your database using the master user credentials. Then, execute the following SQL commands: + +```sql +CREATE ROLE mydbuser LOGIN; +GRANT rds_iam TO mydbuser; +ALTER ROLE mydbuser WITH NOINHERIT; +``` + +This creates `mydbuser`, who will authenticate using IAM tokens instead of a static password. + +### 3. Retrieve the Cluster Resource ID + +Run the following AWS CLI command to get the `DbClusterResourceId`: + +```bash +aws rds describe-db-clusters \ + --db-cluster-identifier \ + --region +``` + +From the output, note the `"DbClusterResourceId"` value for your cluster. + +### 4. Create or Update an IAM Policy for `rds-db:connect` + +Attach the following IAM policy to the IAM principal (user or role) that will connect to the database: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "rds-db:connect", + "Resource": "arn:aws:rds-db:::dbuser:/mydbuser" + } + ] +} +``` + +Replace the placeholders with your specific values: + +- ``: Your AWS region. +- ``: Your AWS account ID. +- ``: The resource ID retrieved in the previous step. +- `mydbuser`: The database user you created. + +### 5. Obtain the RDS CA Certificate Bundle + +Download the RDS CA certificate bundle appropriate for your region. For example: + +- [rds-combined-ca-bundle.pem](https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem) +- Or region-specific bundles like `us-east-2-bundle.pem`. + +Save it locally, e.g.: + +``` +us-east-2-bundle.pem +``` + +This certificate is required for SSL verification when connecting to the database. + +### 6. Generate a Short-Lived IAM Authentication Token + +Use the AWS CLI to generate an IAM authentication token: + +```bash +TOKEN=$(aws rds generate-db-auth-token \ + --hostname \ + --port 5432 \ + --username mydbuser \ + --region ) +``` + +### 7. Set Environment Variables for Your Application + +Set the following environment variables to configure IAM authentication and SSL: + +```bash +export USE_IAM_AUTH=true +export AWS_REGION="" +export POSTGRES_HOST="" +export POSTGRES_PORT="5432" +export POSTGRES_DB="" +export POSTGRES_USER="mydbuser" + +# If using IAM roles or AWS credentials: +export AWS_ACCESS_KEY_ID="" +export AWS_SECRET_ACCESS_KEY="" +# For temporary credentials, also export: +# export AWS_SESSION_TOKEN="" + +# Provide the path to the CA bundle for SSL verification +export SSL_ROOT_CERT="/path/to/us-east-2-bundle.pem" +``` + +Your application should: + +- Load these environment variables. +- Use `USE_IAM_AUTH=true` to trigger token-based authentication. +- Configure SSL using the provided CA bundle. + +### 8. Test the Connection Using `psql` (Optional) + +To manually test the connection: + +```bash +psql "host= \ + port=5432 \ + dbname= \ + user=mydbuser \ + sslmode=verify-full \ + sslrootcert=us-east-2-bundle.pem \ + password=$TOKEN" +``` + +This should establish a secure SSL connection using IAM authentication. + +### 9. Ensure Proper Permissions and Migrations (If Needed) + +If your application requires database migrations (e.g., using Alembic), ensure that `mydbuser` has the necessary permissions: + +```sql +GRANT CREATE ON DATABASE TO mydbuser; +GRANT USAGE ON SCHEMA public TO mydbuser; +GRANT CREATE ON SCHEMA public TO mydbuser; +``` + +### 10. Configure SSL in Your Application + +- For synchronous connections using `psycopg2`, use `sslmode=verify-full` and provide the `sslrootcert`. +- For asynchronous connections using `asyncpg`, create an `ssl.SSLContext` using the CA bundle. + +--- + +By following these steps—first setting up the Aurora PostgreSQL database and then enabling IAM authentication—you can successfully connect to your database using secure, passwordless (token-based) authentication. + +For more information, refer to the [AWS Documentation on IAM Database Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html). From 1df9406033f1e49f6940ab1bcbc7d2d23761aba1 Mon Sep 17 00:00:00 2001 From: pablodanswer Date: Sun, 15 Dec 2024 18:11:37 -0800 Subject: [PATCH 3/4] update rds + configuration --- mint.json | 3 +- production/aws/rds.mdx | 182 ++++++++++++++++++++++++++--------------- 2 files changed, 120 insertions(+), 65 deletions(-) diff --git a/mint.json b/mint.json index ba29b721..e860742e 100644 --- a/mint.json +++ b/mint.json @@ -128,7 +128,8 @@ "pages": [ "production/aws/ec2", "production/aws/eks", - "production/aws/ecs" + "production/aws/ecs", + "production/aws/rds" ] }, "production/gcp", diff --git a/production/aws/rds.mdx b/production/aws/rds.mdx index 4f334eb5..0dea7d41 100644 --- a/production/aws/rds.mdx +++ b/production/aws/rds.mdx @@ -1,38 +1,73 @@ -## Setting Up Amazon Aurora PostgreSQL - -Follow these steps to set up an Amazon Aurora PostgreSQL cluster with basic configuration. +--- +title: "RDS" +description: "Setup Onyx on AWS RDS" -### 1. Create an Aurora PostgreSQL Cluster +--- -- Navigate to the **Amazon RDS** console. -- Click on **Create database**. -- Select **Amazon Aurora** as the engine type. -- Choose **Aurora PostgreSQL-Compatible Edition**. -- Select the desired **PostgreSQL version**. -- Configure the **DB cluster identifier**, **Master username**, and **Master password**. -- Choose the appropriate **Instance size**, **VPC**, **Subnet group**, **Security group**, and **Availability Zone** as per your requirements. -- Adjust any additional settings such as backups, maintenance windows, and encryption if needed. -- Review your configurations and click **Create database** to launch the cluster. +## Setting Up Amazon RDS for PostgreSQL with Basic Authentication + +Follow these steps to set up an Amazon RDS for PostgreSQL instance with a basic configuration, using a static password. This setup allows you to run Onyx with a traditional username/password setup before optionally enabling IAM authentication. + +### 1. Create an RDS PostgreSQL Instance + +1. Navigate to the **Amazon RDS** console. +2. Click on **Create database**. +3. Under **Engine type**, select **PostgreSQL**. +4. For **Database creation method**, choose **Standard create**. +5. Select a **PostgreSQL version** that suits your requirements. +6. For **Templates**, choose **Production** or **Dev/Test** as needed. +7. In the **Settings** section: + - Set **DB instance identifier**. + - Set **Master username**. + - Set **Master password** and confirm it. +8. In the **Instance configuration** section: + - Choose an **Instance class** (e.g., `db.t3.micro`) based on your performance needs. + - Specify **Storage** options (size, autoscaling, etc.). +9. Under **Connectivity**, configure: + - **Virtual Private Cloud (VPC)**. + - **Subnet group**. + - **Public access** if needed (not recommended for production). + - **VPC security group** and **Availability Zone** as per your requirements. +10. Adjust additional settings (e.g., backups, maintenance windows, encryption) as needed. +11. Review your configurations and click **Create database**. + +### 2. Set Environment Variables for Basic Authentication in Onyx + +Once your RDS instance is available, note the following details: + +- **POSTGRES_HOST**: The endpoint of your RDS instance (found in the RDS console). +- **POSTGRES_PORT**: Typically `5432`. +- **POSTGRES_DB**: The database name you created during setup or `postgres` if you used the default. +- **POSTGRES_USER**: The master username you set. +- **POSTGRES_PASSWORD**: The password you specified for the master user. + +Export these variables so Onyx can connect using basic authentication: -### 2. Configure Database Settings (Optional) +```bash +export USE_IAM_AUTH=false +export POSTGRES_HOST="" +export POSTGRES_PORT="5432" +export POSTGRES_DB="" +export POSTGRES_USER="" +export POSTGRES_PASSWORD="" +``` -- Modify any advanced settings if necessary. -- Ensure that your cluster meets your application's requirements. +At this point, Onyx will use the provided username and password to connect to your RDS PostgreSQL instance. --- -## Enabling IAM Authentication for Aurora PostgreSQL +## Enabling IAM Authentication for RDS PostgreSQL (Optional) -After setting up your Aurora PostgreSQL cluster, you can enable IAM authentication to enhance security by using AWS IAM credentials for database access. +To enhance security, you can optionally enable IAM database authentication for your RDS PostgreSQL instance. This allows you to connect using short-lived IAM credentials instead of static passwords. ### 1. Enable IAM Database Authentication -- Navigate to your Aurora cluster in the RDS console. -- Click on **Modify**. -- In the **Database authentication** section, enable **IAM database authentication**. -- Click **Continue** and then **Apply immediately** to save changes. +1. Navigate to your RDS PostgreSQL instance in the RDS console. +2. Click on **Modify**. +3. Under **Database authentication**, enable **IAM database authentication**. +4. Click **Continue**, then **Apply immediately** to save changes. -### 2. Create and Configure a Database User +### 2. Create and Configure a Database User for IAM Auth Connect to your database using the master user credentials. Then, execute the following SQL commands: @@ -44,17 +79,17 @@ ALTER ROLE mydbuser WITH NOINHERIT; This creates `mydbuser`, who will authenticate using IAM tokens instead of a static password. -### 3. Retrieve the Cluster Resource ID +### 3. Retrieve the DB Instance Resource ID -Run the following AWS CLI command to get the `DbClusterResourceId`: +Run the following AWS CLI command to retrieve the `DbInstanceResourceId` (or for an RDS cluster, `DbClusterResourceId` if using a cluster setup): ```bash -aws rds describe-db-clusters \ - --db-cluster-identifier \ +aws rds describe-db-instances \ + --db-instance-identifier \ --region ``` -From the output, note the `"DbClusterResourceId"` value for your cluster. +From the output, note the `"DbiResourceId"` (for single-instance RDS) or `"DbClusterResourceId"` (for Aurora). ### 4. Create or Update an IAM Policy for `rds-db:connect` @@ -67,7 +102,7 @@ Attach the following IAM policy to the IAM principal (user or role) that will co { "Effect": "Allow", "Action": "rds-db:connect", - "Resource": "arn:aws:rds-db:::dbuser:/mydbuser" + "Resource": "arn:aws:rds-db:::dbuser:/mydbuser" } ] } @@ -77,44 +112,75 @@ Replace the placeholders with your specific values: - ``: Your AWS region. - ``: Your AWS account ID. -- ``: The resource ID retrieved in the previous step. -- `mydbuser`: The database user you created. +- ``: The resource ID retrieved in the previous step. +- `mydbuser`: The database user you created above. ### 5. Obtain the RDS CA Certificate Bundle Download the RDS CA certificate bundle appropriate for your region. For example: - [rds-combined-ca-bundle.pem](https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem) -- Or region-specific bundles like `us-east-2-bundle.pem`. -Save it locally, e.g.: +Save it locally, for example: -``` +```bash us-east-2-bundle.pem ``` -This certificate is required for SSL verification when connecting to the database. +### 6. Provide the SSL Certificate to Onyx -### 6. Generate a Short-Lived IAM Authentication Token +To allow Onyx to verify the SSL connection to RDS, you need to pass the certificate bundle into your Docker Compose or Kubernetes setup. -Use the AWS CLI to generate an IAM authentication token: +#### For Docker Compose -```bash -TOKEN=$(aws rds generate-db-auth-token \ - --hostname \ - --port 5432 \ - --username mydbuser \ - --region ) +In your `docker-compose.yml` file, under the `api_server` service, uncomment or add the following lines to mount the certificate: + +```yaml +services: + api_server: + # ... + volumes: + - ./us-east-2-bundle.pem:/app/bundle.pem:ro ``` -### 7. Set Environment Variables for Your Application +This mounts the `us-east-2-bundle.pem` file from your local directory into the container at `/app/bundle.pem`. + +#### For Kubernetes -Set the following environment variables to configure IAM authentication and SSL: +In your Kubernetes deployment for the `api_server`, create a secret containing the certificate and mount it into the container. + +1. **Create a Kubernetes Secret**: + + ```bash + kubectl create secret generic bundle-pem-secret --from-file=us-east-2-bundle.pem + ``` + +2. **Update Your Deployment YAML**: + + In your `api_server` deployment YAML file, uncomment or add the following under the container definition: + + ```yaml + containers: + - name: api_server + # ... + volumeMounts: + - name: bundle-pem + mountPath: "/app/certs" + readOnly: true + volumes: + - name: bundle-pem + secret: + secretName: bundle-pem-secret + ``` + +This mounts the certificate into the container at `/app/certs`. + +### 7. Update Environment Variables for Onyx with IAM Auth ```bash export USE_IAM_AUTH=true export AWS_REGION="" -export POSTGRES_HOST="" +export POSTGRES_HOST="" export POSTGRES_PORT="5432" export POSTGRES_DB="" export POSTGRES_USER="mydbuser" @@ -125,22 +191,19 @@ export AWS_SECRET_ACCESS_KEY="" # For temporary credentials, also export: # export AWS_SESSION_TOKEN="" -# Provide the path to the CA bundle for SSL verification -export SSL_ROOT_CERT="/path/to/us-east-2-bundle.pem" +export SSL_ROOT_CERT="/app/bundle.pem" ``` -Your application should: +Ensure that `SSL_ROOT_CERT` points to the path where the certificate is mounted inside the container (`/app/bundle.pem` for Docker Compose or `/app/certs` for Kubernetes). -- Load these environment variables. -- Use `USE_IAM_AUTH=true` to trigger token-based authentication. -- Configure SSL using the provided CA bundle. +Onyx will now use IAM authentication tokens and SSL verification. ### 8. Test the Connection Using `psql` (Optional) To manually test the connection: ```bash -psql "host= \ +psql "host= \ port=5432 \ dbname= \ user=mydbuser \ @@ -151,9 +214,7 @@ psql "host= \ This should establish a secure SSL connection using IAM authentication. -### 9. Ensure Proper Permissions and Migrations (If Needed) - -If your application requires database migrations (e.g., using Alembic), ensure that `mydbuser` has the necessary permissions: +### 9. Ensure Proper Permissions and Migrations ```sql GRANT CREATE ON DATABASE TO mydbuser; @@ -161,13 +222,6 @@ GRANT USAGE ON SCHEMA public TO mydbuser; GRANT CREATE ON SCHEMA public TO mydbuser; ``` -### 10. Configure SSL in Your Application - -- For synchronous connections using `psycopg2`, use `sslmode=verify-full` and provide the `sslrootcert`. -- For asynchronous connections using `asyncpg`, create an `ssl.SSLContext` using the CA bundle. - --- -By following these steps—first setting up the Aurora PostgreSQL database and then enabling IAM authentication—you can successfully connect to your database using secure, passwordless (token-based) authentication. - -For more information, refer to the [AWS Documentation on IAM Database Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html). +For more information, refer to the [AWS Documentation on IAM Database Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html). From 5d56274911d1ca6562f6992002fef30222a25a44 Mon Sep 17 00:00:00 2001 From: pablodanswer Date: Mon, 16 Dec 2024 18:37:07 -0800 Subject: [PATCH 4/4] nit --- production/aws/rds.mdx | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/production/aws/rds.mdx b/production/aws/rds.mdx index 0dea7d41..e75cdc38 100644 --- a/production/aws/rds.mdx +++ b/production/aws/rds.mdx @@ -178,23 +178,20 @@ This mounts the certificate into the container at `/app/certs`. ### 7. Update Environment Variables for Onyx with IAM Auth ```bash -export USE_IAM_AUTH=true export AWS_REGION="" export POSTGRES_HOST="" export POSTGRES_PORT="5432" export POSTGRES_DB="" export POSTGRES_USER="mydbuser" -# If using IAM roles or AWS credentials: +# Since ware using IAM roles or AWS credentials: +export USE_IAM_AUTH=true export AWS_ACCESS_KEY_ID="" export AWS_SECRET_ACCESS_KEY="" -# For temporary credentials, also export: -# export AWS_SESSION_TOKEN="" - -export SSL_ROOT_CERT="/app/bundle.pem" ``` -Ensure that `SSL_ROOT_CERT` points to the path where the certificate is mounted inside the container (`/app/bundle.pem` for Docker Compose or `/app/certs` for Kubernetes). +Ensure that your certificate is properly mounted inside the container (`/app/bundle.pem` for Docker Compose). You will need to comment out the relavant lines in the Docker Compose or Kubernetes yaml files. +This will be necessary to do in the background and api services. Onyx will now use IAM authentication tokens and SSL verification.