Dealing with DB instance IAM authentication token expiry

Question

As per here after you generate an authentication token, it's valid for 15 minutes before it expires.

Consequently, if you don't hold onto the connection it will expire after 15 mins.

Upon application startup, we have code a bit like this:

Jdbi.create(dbProperties().getDbUrl(), jdbiProperties());

part of the jdbiProperties() method calls:

generator.getAuthToken(GetIamAuthTokenRequest.builder()
                .hostname(url).port(PORT).userName(username)
                .build());

We have a repo method that uses the jdbi (wrappper of a JDBC DataSource) like so:

jdbi.withHandle(handle ->
    handle.createQuery("select name from contacts")
          .mapTo(String.class)
          .list());

The problem here is that since we generated the token upon startup it stop working after 15 min.

Is the some standard pattern for dealing with this? Seems like we could refresh the token upon every call (seems inefficient). Or we could request a new token upon receipt of expiry (through an exception).

Any suggestions appreciated.

TIA

Answer 1

Please see https://github.com/team-carepay/carepool-aws-jdbc

This library supports different ways of providing IAM authentication for RDS:

1. Wrapper for Tomcat Datasource
2. Wrapper for Hikari Datasource
3. Plugin for MariaDB driver
4. Plugin for MySQL driver

Depending on your project, you can pick any of the above options. For Jdbi, you can use Jdbc.create with takes a DataSource, e.g. Hikari or MySQL.

Please note that some versions of MariaDB driver support native AWS IAM (assuming that you have the AWS Java SDK in your classpath). Since that support was removed, you can now use https://github.com/awslabs/aws-mysql-jdbc which also supports IAM authentication. The MariaDB and AWS-MySQL drivers need a few libraries on the classpath (jackson, commons-collections, etc), so make sure you include these. The carepool-aws-jdbc plugin does not require any 3rd party libraries.