Support retrieving db password via callback

[gregplaysguitar]

RDS postgres supports connecting via an "IAM Authentication Token", which lasts 15 minutes, and is used as the password when connecting to the database. I can't see any way to connect like this with pg, since the password is a static value passed at pool creation time. Ideally, the pool would be able to retrieve a new password whenever it needs to create a new connection.

I think the ideal API for this would be something like this - note the getPassword function needs to be asynchronous:

const { Pool } = require('pg')

const pool = new Pool({
  user: 'dbuser',
  host: 'database.server.com',
  database: 'mydb',
  getPassword: function () {
    // return a promise which resolves with the generated password
  },
  port: 3211,
})

I am most likely available to work on this issue, but keen to get maintainer approval first before I write any code.

More details here:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.AWSCLI.PostgreSQL.html

[vitaly-t]

Why not just recreate the pool object when you get a new password?

[charmander]

@vitaly-t Existing connections

[kellertobias]

Same problem here. Trying to Monkey patch the Client.connect method right now.

[kellertobias]

I am testing the following right now: (Coffeescript)

oldConnect = pg.Client.prototype.connect
pg.Client.prototype.connect = (callback) ->
	console.log "Hallo From Connect :)"
	this.connectionParameters.password = getPassword()
	oldConnect.bind(this)(callback)

[kellertobias]

Seems to work.

[sehrope]

@kellertobias That wouldn't work if retrieving the password is an async operation. You would need to wait for it to complete prior to continuing the callback.

I took a peek at the code and turns out this wasn't that bad to add. See #1926 for a PR that adds this feature. It'll need at least one test added prior to being merged, but would be good if you can try it out and see if it works for your use case.

[kellertobias]

Works if using meteor with future/fibers and so making the async operation look sync ;)

[robbiet480]

This was successfully fixed via #1926. Here's an example:

password: async () => {
  if(process.env.DB_CONNECTION_STYLE === "rds_iam") {
    const signer = new AWS.RDS.Signer({
      region: (new AWS.Config()).region,
      hostname: process.env.DB_HOST,
      port: Number(process.env.DB_PORT),
      username: process.env.DB_USERNAME,
    });
    return signer.getAuthToken({});
  }
  return process.env.DB_PASSWORD;
},