You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Howdy! I'm stepping in to using Rust on the backend, and I'm keen on using sqlx for working with my postgresql database. Poking around at the codebase for connection pools, it looks like they take a single password upfront and re-use it across the lifetime of the pool when needing to establish new connections.
Tools like Vault, AWS Secrets Manager, and AWS RDS allow for the provisioning of short term access credentials, which helps mitigate security risk compared to long-lived alternatives.
Problem
The current design of connection pools assumes that a given username/password combination will be valid for the entire lifetime of the pool. In the case of AWS RDS, dynamic credentials may only be valid for 15 minutes.
Workarounds
Long Term Credentials: Use credentials that will be valid for the lifetime of the pool. For a backend web service, this could effectively mean static credentials, and the security risks they imply.
Pool of Pools: Add custom logic to periodically rotate the pool used by the process, where the new pool uses new credentials.
Short Lived Processes: If your deployment environment supports it, enabling reaping/killing of the process before the short lived credentials become invalid. A new replacement process should be launched that grabs new short term credentials.
Solution Ideas
There's a number of different ways to lay out the final design, but ultimately the application will need to supply a callback (in the form of a trait impl or a closure) that returns that latest valid credentials.
I'd be happy to dive into more details or work on a possible PR, but wanted to at least first open a discussion to see 1) If I missed something and this currently is supported or 2) y'all are interested in supporting this use case.
The text was updated successfully, but these errors were encountered:
Howdy! I'm stepping in to using Rust on the backend, and I'm keen on using sqlx for working with my postgresql database. Poking around at the codebase for connection pools, it looks like they take a single password upfront and re-use it across the lifetime of the pool when needing to establish new connections.
Tools like Vault, AWS Secrets Manager, and AWS RDS allow for the provisioning of short term access credentials, which helps mitigate security risk compared to long-lived alternatives.
Problem
The current design of connection pools assumes that a given username/password combination will be valid for the entire lifetime of the pool. In the case of AWS RDS, dynamic credentials may only be valid for 15 minutes.
Workarounds
Long Term Credentials: Use credentials that will be valid for the lifetime of the pool. For a backend web service, this could effectively mean static credentials, and the security risks they imply.
Pool of Pools: Add custom logic to periodically rotate the pool used by the process, where the new pool uses new credentials.
Short Lived Processes: If your deployment environment supports it, enabling reaping/killing of the process before the short lived credentials become invalid. A new replacement process should be launched that grabs new short term credentials.
Solution Ideas
There's a number of different ways to lay out the final design, but ultimately the application will need to supply a callback (in the form of a trait impl or a closure) that returns that latest valid credentials.
I'd be happy to dive into more details or work on a possible PR, but wanted to at least first open a discussion to see 1) If I missed something and this currently is supported or 2) y'all are interested in supporting this use case.
The text was updated successfully, but these errors were encountered: