如何使用 AWS IAM 身份验证从 Java/Spring 应用程序连接到 AWS RDS MySQL?
[英]How do I connect to AWS RDS MySQL from Java/Spring application using AWS IAM Authentication?
问题描述
I am new to AWS world and still learning.
我是 AWS 世界的新手,仍在学习中。 It's been only a month that I am trying things.我才尝试了一个月。
I have been looking for it for quite a few days now and haven't been able to find a correct and more appropriate solution.我已经找了好几天了,一直没能找到正确和更合适的解决方案。 Therefore it would be great if somebody can help me by giving a sample code, provide some pointer or guide in the right direction.因此,如果有人可以通过提供示例代码来帮助我,提供一些正确方向的指示或指导,那就太好了。
I have a AWS RDS MySQL instance and a database created.我有一个AWS RDS MySQL实例并创建了一个数据库。 I have configured " IAM DB AUthentication Enabled " to "Yes".我已将“ IAM DB AUthentication Enabled ”配置为“Yes”。
Created an IAM Role and Policy as per AWS documentation.根据 AWS 文档创建IAM 角色和策略。
And finally, I have an EC2 instance with Tomcat with my Java/Spring application deployed and running in it.最后,我有一个 Tomcat 的EC2 实例,其中部署并运行了我的Java/Spring 应用程序。 I am able to access the MySQL database using database credentials (like db user name, password, db url, etc.) successfully.我能够使用数据库凭据(如数据库用户名、密码、数据库 url 等)成功访问 MySQL 数据库。 So I know things are setup properly now.所以我知道现在一切都已正确设置。
Can somebody please help me know how to connect to this database from my Java/Spring application using spring-jdbc and AWS IAM Authentication (the IAM role I created above)?有人可以帮我知道如何使用spring-jdbc和AWS IAM 身份验证(我在上面创建的 IAM 角色)从我的 Java/Spring 应用程序连接到这个数据库吗?
I read somewhere that I need the certificate file or certificate bundle file in my application environment and that I need to generate a token to be connected to the database.我在某处读到我的应用程序环境中需要证书文件或证书捆绑文件,并且我需要生成一个令牌以连接到数据库。 But I am not able to think on how to put it together.但是我无法考虑如何将它们组合在一起。
Any help will be highly appreciated.任何帮助将不胜感激。
Thanks.谢谢。
3 个解决方案
解决方案1
2 2018-11-19 09:56:04
I had a similar problem recently.我最近遇到了类似的问题。
This is what I did:这就是我所做的:
- Included Spring Cloud AWS JDBC and Spring Data JPA包含 Spring Cloud AWS JDBC 和 Spring Data JPA
- Implemented a custom DataSourceFactory, which generates an IAM access token and uses that for the connection实现了一个自定义 DataSourceFactory,它生成一个 IAM 访问令牌并将其用于连接
You can find a full step-by-step guide here .您可以在此处找到完整的分步指南。
Btw., Spring Cloud AWS JDBC provides some additional benefits, like read replica or failover support, and you only have to provide the instance ID of your RDS instance, and not the full canonical endpoint.顺便说一句,Spring Cloud AWS JDBC 提供了一些额外的好处,例如只读副本或故障转移支持,您只需提供 RDS 实例的实例 ID,而不是完整的规范端点。
解决方案2
1 2020-10-23 16:33:23
I know this is an older question, but after a some searching I found a pretty easy way you can now do this using the MariaDB driver.我知道这是一个较旧的问题,但经过一番搜索后,我发现了一种非常简单的方法,您现在可以使用 MariaDB 驱动程序执行此操作。 In version 2.5 they added anAWS IAM credential plugin to the driver.在 2.5 版中,他们向驱动程序添加了AWS IAM 凭证插件。 It will handle generating, caching and refreshing the token automatically.它将自动处理生成、缓存和刷新令牌。
I've tested using Spring Boot 2.3 with the default HikariCP connection pool and it is working fine for me with these settings:我已经使用 Spring Boot 2.3 和默认的 HikariCP 连接池进行了测试,使用以下设置对我来说效果很好:
spring.datasource.url=jdbc:mariadb://host/db?credentialType=AWS-IAM&useSsl&serverSslCert=classpath:rds-combined-ca-bundle.pem
spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
spring.datasource.username=iam_username
#spring.datasource.password=dont-need-this
spring.datasource.hikari.maxLifetime=600000
Download rds-combined-ca-bundle.pem and put it in src/main/resources so you can connect via SSL.下载rds-combined-ca-bundle.pem并将其放在src/main/resources以便您可以通过 SSL 进行连接。
You will need these dependencies on the classpath as well:您还需要对类路径的这些依赖项:
runtime 'org.mariadb.jdbc:mariadb-java-client'
runtime 'com.amazonaws:aws-java-sdk-rds:1.11.880'
The driver uses the standard DefaultAWSCredentialsProviderChain so make sure you have credentials with policy allowing IAM DB access available wherever you are running your app.该驱动程序使用标准的DefaultAWSCredentialsProviderChain因此请确保您拥有包含策略的凭证,允许在您运行应用程序的任何地方访问 IAM 数据库。
Addionally, if you want failover support like @markusgulden mentioned in his answer, you can use the aurora mode described here .此外,如果您想要像他的回答中提到的@markusgulden 那样的故障转移支持,您可以使用这里描述的aurora模式。 Your endpoint would then look like你的端点看起来像
jdbc:mariadb:aurora://host/db?credentialType=AWS-IAM&useSsl&serverSslCert=classpath:rds-combined-ca-bundle.pem
Hope this helps someone else - most examples I found online involved custom code, background threads, etc - but using the new driver feature is much easier!希望这对其他人有所帮助 - 我在网上找到的大多数示例都涉及自定义代码、后台线程等 - 但使用新的驱动程序功能要容易得多!
解决方案3
0 2022-06-18 19:09:17
I would suggest using this library that you use to replace the HikariDatasource.我建议使用您用来替换 HikariDatasource 的这个库。 Everything else just works like normal.其他一切都像正常一样工作。
<dependency>
<groupId>io.volcanolabs</groupId>
<artifactId>rds-iam-hikari-datasource</artifactId>
<version>1.0.4</version>
</dependency>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.