Thread: Subprocess generated password
Hi,
I have been hacking on a feature that instead of using a static password when connecting to the psql server executes a subprocess which prints a temporary auth token to stdout.
This is to make the workflow more bearable when using AWS RDS with iam authentication.
aws-iam auth tokens are generated with the ASW cli, used as sql password, and expires after 15 minutes. That means that any reconnects after that time will fail – and not in a way that spawns any password dialog (“FATAL: PAM authentication failed”).
I’m thinking of the feature like an addition to “passfile”, lets call it “passexec”.
2 new (advanced?) server settings:
* passexec cmd line
* passexec expiry minutes
If last passexec is older than expiry, a new invocation result is used – basically an expiring cache.
I think this would benefit the pgadmin community – would you be interested in a PR?
/Elias
Hi,
I have been hacking on a feature that instead of using a static password when connecting to the psql server executes a subprocess which prints a temporary auth token to stdout.
This is to make the workflow more bearable when using AWS RDS with iam authentication.
aws-iam auth tokens are generated with the ASW cli, used as sql password, and expires after 15 minutes. That means that any reconnects after that time will fail – and not in a way that spawns any password dialog (“FATAL: PAM authentication failed”).
I’m thinking of the feature like an addition to “passfile”, lets call it “passexec”.
2 new (advanced?) server settings:
* passexec cmd line
* passexec expiry minutes
If last passexec is older than expiry, a new invocation result is used – basically an expiring cache.
I think this would benefit the pgadmin community – would you be interested in a PR?
/Elias
Hi,On Mon, Oct 10, 2022 at 1:38 PM Elias Bergquist <elias@acuminor.com> wrote:Hi,
I have been hacking on a feature that instead of using a static password when connecting to the psql server executes a subprocess which prints a temporary auth token to stdout.
This is to make the workflow more bearable when using AWS RDS with iam authentication.
aws-iam auth tokens are generated with the ASW cli, used as sql password, and expires after 15 minutes. That means that any reconnects after that time will fail – and not in a way that spawns any password dialog (“FATAL: PAM authentication failed”).
I’m thinking of the feature like an addition to “passfile”, lets call it “passexec”.
2 new (advanced?) server settings:
* passexec cmd line
* passexec expiry minutes
To support this, AWS cli should be installed on the pgAdmin server. So, in the desktop mode, if the user has installed it, it will work. For the web mode, (server mode), what is your proposal ?If last passexec is older than expiry, a new invocation result is used – basically an expiring cache.
I think this would benefit the pgadmin community – would you be interested in a PR?
/Elias