通过 aws-sdk 从 NodeJS 连接到 RDS SQL Server

Question

有没有人有使用 aws-sdk 连接到 RDS SQL Server 实例的示例 NodeJS 代码。

Answer 1

A working OIDC-token based sample:

database.ts

import { fromWebToken } from "@aws-sdk/credential-providers";
import { Signer } from "@aws-sdk/rds-signer";
import { createPool } from "mariadb";
import { serviceConfig } from "./config";
import { logger } from "./logger";
import { getSpiffeJWT } from "./spire";

const getSignToken = async (
  spireToken: string,
  hostname: string,
  username: string,
  port: number,
  awsRegion: string
): Promise<string> => {
  const sig = new Signer({
    hostname,
    port,
    username,
    credentials: fromWebToken({
      roleArn: serviceConfig.roleArn,
      webIdentityToken: spireToken,
    }),
    region: awsRegion,
  });
  return await sig.getAuthToken();
};

const createDbPool = async () => {
  const spireToken = await getSpiffeJWT();
  if (spireToken.length < 0) {
    logger.error("spire token error: invalid length");
  }
  const dbHostname = `${serviceConfig.auroraHostname}`;
  const dbUser = `${serviceConfig.auroraUser}`;
  const dbPort = Number(`${serviceConfig.auroraPort}`);
  const awsRegion = `${serviceConfig.clusterRegion}`;

  const awsToken = await getSignToken(
    spireToken,
    dbHostname,
    dbUser,
    dbPort,
    awsRegion
  );

  return createPool({
    host: dbHostname,
    user: dbUser,
    port: dbPort,
    ssl: { rejectUnauthorized: false },
    password: awsToken,
    database: `${serviceConfig.auroraDatabase}`,
    connectionLimit: 10,
  });
};

export const dbConnectionPool = createDbPool();

Note:

1. Don't use ssl: { rejectUnauthorized: false } in Production. Download the AWS RDS ca-cert and add it as ca to the ssl block... wget https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem
2. You can use any kind aws credentials in the Signer...
3. Add your roles and policies according to the aws documentation