Dynamic Passwords for use on AWS

419 views
Skip to first unread message

Kennett....@sony.com

unread,
Oct 20, 2017, 4:00:31 PM10/20/17
to HikariCP
Hi! 

We are in the process of moving our app from our data center to AWS.  The old connection pooling framework we are currently using won't work on AWS.  After a little research I found HikariCP a good match for what we wanted.  We are using role based authentication to RDS on AWS.  This requires us to use a password that is generated by AWS which later expires.  Using HikariCP works great until the password expires.  Since Hikari seems to only support string based passwords I was forced to extend one of your classes to add this functionality.  I first extended HikariConfig which I had setup to pass into HikariDataSource by overriding the get and set Password methods.  I later found that HikariDataSource copies the config entries into it self since it extends HikariConfig and discards the HikariConfig that is passed in. This lead me to extend HikariDataSource doing the same as HikariConfig by overriding the get and set Password methods.  I needed it to support both static and generated passwords that when they expire will generate a new one when a new connection is created. It is never ideal to extend a framework when you need it to do what you want it to do.  I post this here for anyone that wants to use Hikari in the way I have and in the hopes that Hikari will support this functionality in an easier way than extending HikariDataSource.  I do wonder the side effects of connections expiring and having to be recreated as a possible issue later.

Brett Wooldridge

unread,
Oct 20, 2017, 9:59:04 PM10/20/17
to HikariCP
HikariCP copies the configuration at startup to prevent the user from modifying properties at runtime that could destabilize the pool.

After the pool is started, the properties that are permissible to change at runtime are modifiable through the HikariConfigMXBean. Username and password are among those properties.

-Brett

Brett Wooldridge

unread,
Oct 20, 2017, 10:13:04 PM10/20/17
to hika...@googlegroups.com
Regarding string-based passwords, RDS with IAM supports it. See “Connecting to a DB Instance or DB Cluster Using IAM Database Authentication” here for how to generate an authentication token:

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html

I recommend setting up a 14 minute timer that obtains a new token and modifies the HikariCP password through the MBean API. If you don’t want to run JMX, the bean is still available through the HikariDataSource.

Kennett....@sony.com

unread,
Oct 23, 2017, 2:43:32 PM10/23/17
to HikariCP
Thanks Brett for the response.  I will look into using the MBean API.

- Ken
Reply all
Reply to author
Forward
0 new messages