Coder RDS IAM Auth
Does coder use the service account that is deployed through the helm chart to then use an IAM role and connect to an RDS instance? Having some trouble wiring this up, looking for some guidance
23 Replies
<#1324498437185470484>
Category
Help needed
Product
Coder (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
hey, I am not sure what you mean by RDS
Remote Desktop Services?
oh, Amazon RDS
Sorry, we’re using an AWS RDS postgres instance for coder to connect to and use as its database. We were using normal password auth but ran into trouble with URL encoded characters. So I’m trying to move to IAM auth for the Database
i see
Coder is going to use the
CODER_PG_CONNECTION_URL variable
I don't think there's another wayGitHub
Postgres password authentication issue when Postgres Password conta...
Hello, I have coder deployed to my kubernetes cluster using the Helm chart with an RDS postgres database. RDS currently handles password creation and rotation. I've noticed that when the postgr...
does URL encoding the password work?
I saw this issue, it seems you can change the auth to awsiamrds no?
yeah i was about to say
i think that's what you want to do if you want to use IAM
Yes, but when the password rotated as mentioned in the issue there’s no telling what characters you’ll get
but you'll have to encode the password anyways
Even when using iam to connect?
That should be passwordless right?
I am not familiar with AWS IAM, I did not know it was passwordless
anyways since
CODER_PG_CONNECTION_URL is an URL, any special characters will need to be URL encodedYes that is true, but when using IAM there’s no need for a password
As mentioned in the issue
I’ll have to play with the service account the helm chart creates to start I suppose
how would you connect via IAM outside of Coder in a normal scenario?
My user would assume that iam role, im assuming
No pun intended
Thats why I was wondering if the service account needs that role that is created with permissions to connect to the RDS instance
I’ve never connected to a database like this either I’ve always used connection strings so I’m a little confused here as well
I'm not sure if it has anything to do with the service account really
I am looking at internal chats, one of them said:
Use
--postgres-auth awsiamrds and omit any password in the postgres url provided like --postgres-url postgresql://[email protected]
Docs: https://coder.com/docs/cli/server#--postgres-auth (
You'll need a IAM policy allowing rds-db:connect for the role associated with the Coder deployment.Yeah I have th role, I guess I'm not sure what to attach it to?
You say the role associated with the coder deployment, but within k8s is that the service account?
it seems to me like it is assumed that the Coder deployment is within AWS EC2, but I'm not sure
it's late for me now so i'll have to log off but i'll look into it more and ask our engineers tomorrow
Yeah I'm headed out as well, I'll check in tomorrow and continue playing with it
Thanks, much appreciated!
@Phorcys
hey @Kbs56, any luck with this?
Yes actually! Just deployed to prod as well this morning
The service account annotation did the trick
Forgot to circle back with you
nice!
no worries, just wanted to make sure we didn't forget you :-)
closing this then!
@Phorcys closed the thread.