Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Allow authentication by environment IAM credentials
See original GitHub issueDriver version
v2.0.872
Redshift version
PostgreSQL 8.0.2 on i686-pc-linux-gnu, compiled by GCC gcc (GCC) 3.4.2 20041017 (Red Hat 3.4.2-6.fc3), Redshift 1.0.22169
Client Operating System
Amazon Linux 2 for Python 3.8 Lambda
Python version
Python 3.8
Problem description
I would like the driver to authenticate via the environment IAM credentials(for examples in AWS Lambda environment with IAM Role with sufficient permissions for get_cluster_credentials).
I should be able to execute the following code in an environment with IAM credentials with sufficient permissions:
import redshift_connector
conn = redshift_connector.connect(
cluster_identifier='examplecluster,
database='dev',
user='awsuser',
iam=True,
credentials_provider='IAMProvider', # proposed.
)
- Expected behaviour: Should work
- Actual behaviour: Doesn’t work.
- Error message/stack trace:
Invalid connection property setting. password must be specified - Any other details that can be helpful:
The driver can already authenticate via get_cluster_credentials method: https://github.com/aws/amazon-redshift-python-driver/blob/77a9c1de1f6ce54266ff67bc6aa894d3b4910240/redshift_connector/iam_helper.py#L246-L265
The code just needs the following some small adjustments to achieve this:
- The connection validation logic should allow password not being specified in the case
iam == True and credentials_provider == 'IAMProvider' - an IAMProvider as a credential provider is created, which would return None for access key, secret and session token.
I would be happy to make a pull request to do above, in case someone from the project agrees with the changes.
Our use case
We always use get_cluster_credentials so we don’t have to care about rotating secrets, since our code is already running in AWS managed compute environment(Lambda, Fargate, Glue Python Shell), the IAM credentials are already present in the environment. Since this driver already contains the code for get_cluster_credentials it would be shame that we would have to duplicate that code everywhere.
Reproduction code
import redshift_connector
conn = redshift_connector.connect(
cluster_identifier='examplecluster,
database='dev',
user='awsuser',
iam=True,
provider='iam'
)
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:7 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@rectalogic – thank you for the heads up, this will be resolved in our next release.
Yes, that’d be great. I assume if they are not provided, boto3 default logic for acquiring the credentials will kick in(from environment, or
~/.aws/credentialsor IAM roles: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#guide-credentials), which would make it as seamless as using boto3 or AWS CLI.