feat: Enable AWS IAM auth for DB configuration

[anticorrelator]

This PR adds support for AWS IAM-based authentication for PostgreSQL connections to AWS Aurora/RDS, enabling the use of short-lived IAM tokens instead of static passwords.

Example:

Ensure boto3 is installed in your phoenix environment

# Enable IAM authentication and set refresh time
export PHOENIX_POSTGRES_USE_AWS_IAM_AUTH=true
export PHOENIX_POSTGRES_AWS_IAM_TOKEN_LIFETIME_SECONDS=720

# Database connection
export PHOENIX_POSTGRES_HOST=mydb.us-west-2.rds.amazonaws.com
export PHOENIX_POSTGRES_USER=iam_db_user
export PHOENIX_POSTGRES_DB=phoenix

# Standard AWS configuration
export AWS_DEFAULT_REGION=us-west-2
export AWS_ACCESS_KEY_ID=your_key
export AWS_SECRET_ACCESS_KEY=your_secret
# OR use ~/.aws/credentials and ~/.aws/config
# OR use IAM role (EC2/ECS/EKS)

---

Note

Adds AWS RDS IAM authentication for PostgreSQL, generating short‑lived tokens (via boto3) with SSL enforcement and pool recycling, plus related env vars and optional deps.

• Database (PostgreSQL):
  • IAM Auth Support: Implement AWS RDS IAM authentication using short‑lived tokens.
    • New phoenix.db.iam_auth.generate_aws_rds_token used by async (asyncpg) and sync (psycopg) creators.
    • Connection pools recycle based on token lifetime (pool_recycle).
    • SSL is enforced when IAM auth is enabled.
  • Engine wiring: aio_postgresql_engine conditionally uses IAM creators; migrations supported with IAM.
  • PG config: get_pg_config(..., enforce_ssl=True|False) adds SSL enforcement and rejects sslmode=disable under IAM.
• Config:
  • New env vars: PHOENIX_POSTGRES_USE_AWS_IAM_AUTH, PHOENIX_POSTGRES_AWS_IAM_TOKEN_LIFETIME_SECONDS.
  • get_env_postgres_connection_str updated to allow user-only URI when IAM is enabled; validates password presence/absence.
  • Helpers to read/validate IAM settings and AWS creds; invoked in verify_server_environment_variables.
• Dependencies:
  • New optional extra aws with boto3; guidance to install when IAM is enabled.

^{Written by Cursor Bugbot for commit d93a2bd. This will update automatically on new commits. Configure here.}

[cursor]

Bug: PostgreSQL Config Error Breaks Non-PostgreSQL Deployments

The get_env_postgres_connection_str() function now raises a ValueError when PHOENIX_POSTGRES_PASSWORD is missing (and IAM auth is not enabled). Previously, it returned None in this scenario, allowing graceful handling of incomplete PostgreSQL configurations. This change can cause unexpected startup failures for deployments not using PostgreSQL.

 

[RogerHYang]

already imported above

Suggested change

import boto3 # pyright: ignore

[RogerHYang]

why is this just a warning and not an exception?

[RogerHYang]

we should understand the effect of this exception