Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CT-2860] [Feature] Add AWS IAM Authentication to dbt-postgres #14

Closed
3 tasks done
christopherscholz opened this issue Jul 22, 2023 · 6 comments
Closed
3 tasks done

[CT-2860] [Feature] Add AWS IAM Authentication to dbt-postgres #14

christopherscholz opened this issue Jul 22, 2023 · 6 comments
Assignees
@dataders
Labels
enhancement New feature or request

Comments

@christopherscholz
Copy link

Is this your first time submitting a feature request?

  • I have read the expectations for open source contributors
  • I have searched the existing issues, and I could not find an existing issue for this feature
  • I am requesting a straightforward extension of existing dbt functionality, rather than a Big Idea better suited to a discussion

Describe the feature

As with dbt-redshift, I would like to enable dbt-postgres to use AWS IAM Authentication. I use IAM Authentication for nearly everything and it just bugs me that it is available with dbt-redshift but not with dbt-postgres.

I envision the same setup as dbt-redshift. With a connection factory that returns a connection function.
This would easily allow other implementations as well.

The following profile configurations would change

  • password becomes optional
  • method is added: default database; options: database, iam
  • iam_profile is added: default None, used to overwrite default AWS IAM profile
  • region is added: default None, used to overwrite default AWS Region

If IAM is chosen as method, then before connecting to the PostgreSQL db using psycopg2.connect, it would

  • open boto3 session
  • create rds client
  • get the auth token by calling generate_db_auth_token and pass it to kwargs as password

Describe alternatives you've considered

Instead of implementing it in dbt, you could create a wrapper for dbt, which gets the token and passes it as a environment variable to dbt. Using env_var in the profile I could use this token as password.
But this token could only be used once. If during the run, the connection has to be reopened, this wouldn't work. Therefore I really don't like this this idea.

Who will this benefit?

Everybody who is running dbt in AWS and is using IAM authentication for RDS PostgreSQL.

Are you interested in contributing this feature?

Yes; Since this is my first contribution to dbt, please give me some guidance.

Anything else?

There is a closed issue dbt-labs/dbt-core#3122, which was closed because it became stale. The author is asking for a implementation for IAM Authentication with Amazon Aurora PostgreSQL.
There is no difference in the IAM Authentication implementation for Amazon RDS Aurora PostgreSQL and Amazon RDS for PostgreSQL. Both work exactly the same.
@christopherscholz christopherscholz added enhancement New feature or request triage labels Jul 22, 2023
@github-actions github-actions bot changed the title [Feature] Add AWS IAM Authentication to dbt-postgres [CT-2860] [Feature] Add AWS IAM Authentication to dbt-postgres Jul 22, 2023
@christopherscholz christopherscholz mentioned this issue Jul 22, 2023
Closed
4 tasks
@dataders dataders assigned Fleid and unassigned dataders Aug 4, 2023
@jtcohen6
Copy link
Contributor

My concern is that this sets precedent for making dbt-postgres less vendor-agnostic. Would we need to support auth methods for GCP Cloud SQL, Azure PostgreSQL, etc? What about all the added dependencies (boto3, etc)? Those would probably need to go into extras_require, i.e.

pip install dbt-postgres[aws]
pip install dbt-postgres[gcp]
pip install dbt-postgres[azure]
...etc...

I'll let @Fleid and @dataders make the ultimate call here. There are, no doubt, a lot of people using dbt-postgres + AWS RDS out in the world. This risks adding some dependency bloat & maintenance burden to an adapter that we otherwise try to keep pretty lightweight & vanilla.

@jtcohen6 jtcohen6 removed the triage label Sep 22, 2023
@dataders dataders mentioned this issue Sep 25, 2023
Closed
3 tasks
@Fleid
Copy link

Fleid commented Oct 2, 2023

@graciegoheen your take would be valuable too.

The way I see it, Amazon RDS for PostgreSQL is not PostgreSQL, which is also not Azure Database for PostgreSQL, etc.
The main variation being authentication, which for us in dbt land is kind of a big deal, but each vendor/provider has the ability to add/remove more than that (like Citus for Azure Cosmos DB for PostgreSQL) which may need to be surfaced in dbt.

So I'd much rather have long-lived shallow forks of dbt-postgres being developed and maintained out there, with the additional authentication methods living there. That could, and should, be the only difference in those forks compared to the origin, to be able to stay aligned as easily as possible.

But that requires us to move dbt-postres out of dbt-core, which last I checked was in the plans. If I'm not mistaken @jtcohen6?

@dataders dataders assigned dataders and unassigned Fleid Oct 3, 2023
@graciegoheen
Copy link

But that requires us to move dbt-postres out of dbt-core, which last I checked was in the plans. If I'm not mistaken @jtcohen6?

https://github.com/dbt-labs/dbt-postgres indeed!

@mikealfare mikealfare transferred this issue from dbt-labs/dbt-core Feb 13, 2024
@roitalpaz
Copy link

We would love to see this happen as well.
should we fork at our own organization? or would you prefer this to live at dbt-labs?

We can create a new fork which will be called dbt-rds-postgres with support of short lived aws IAM tokens.

@EitanKatsightfull
Copy link

EitanKatsightfull commented Mar 13, 2024
edited
Loading

@christopherscholz
I have forked the repository and created this in our org
every session that is opened to the database has a fresh token
https://github.com/sightfullco/dbt-postgres-rds/tree/feature/postgresrds-adapter

@colin-rogers-dbt
Copy link
Contributor

Closing this out as we view this as outside the scope of dbt-postgres as an adapter.

@colin-rogers-dbt colin-rogers-dbt closed this as not planned Won't fix, can't repro, duplicate, stale Jun 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dataders dataders

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[CT-2860] Add IAM Authentication to dbt-postgres christopherscholz/dbt-core
8 participants
@dataders @Fleid @jtcohen6 @christopherscholz @graciegoheen @roitalpaz @colin-rogers-dbt @EitanKatsightfull