Metadata-Version: 2.3
Name: django-iam-dbauth
Version: 0.2.1
Summary: Django database backends to use AWS Database IAM Authentication
Project-URL: Homepage, https://github.com/LabD/django-iam-dbauth
Author-email: Lab Digital <opensource@labdigital.nl>
License: MIT
License-File: LICENSE
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Web Environment
Classifier: Framework :: Django
Classifier: Framework :: Django :: 4.2
Classifier: Framework :: Django :: 5.0
Classifier: Framework :: Django :: 5.1
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Requires-Dist: boto3
Requires-Dist: django>=4.2
Requires-Dist: dnspython
Description-Content-Type: text/markdown

# Django IAM database backends

<!-- start-no-pypi -->
[![codecov](https://codecov.io/gh/labd/django-iam-dbauth/branch/master/graph/badge.svg)](https://codecov.io/gh/labd/django-iam-dbauth)
[![pypi](https://img.shields.io/pypi/v/django-iam-dbauth.svg)](https://pypi.python.org/pypi/django-iam-dbauth/)
[![readthedocs](https://readthedocs.org/projects/django-iam-dbauth/badge/)](https://django-iam-dbauth.readthedocs.io/en/latest/)
[![tests](https://github.com/labd/django-iam-dbauth/workflows/Python%20Tests/badge.svg)](https://github.com/labd/django-iam-dbauth/actions)
<!-- end-no-pypi -->

## Usage

```shell
pip install django-iam-dbauth
```

In your settings use the following

```python
DATABASES = {
    "default": {
        "HOST": "<hostname>",
        "USER": "<user>",
        "NAME": "<db name>",
        "ENGINE": 'django_iam_dbauth.aws.postgresql',
        "OPTIONS": {
            "use_iam_auth": True,
            "sslmode": "require",   # See discussion on SSL below
            "resolve_cname_enabled": True,
        }
    }
}
```

### SSL and PostgreSQL

When using IAM authentication with RDS, SSL is required. If it's not used, such as when using a CNAME (see below), login will be denied with the below error:

```
django.db.utils.OperationalError: FATAL:  pg_hba.conf rejects connection for host "1.2.3.4", user "some_user", database "some_database", SSL off
```

### SSL and MySQL

Acquired Token won't work with MySQL if use RDS instance name, which is a CNAME record, as a HOST, because by default it will be resolved to a cannonical name by django-iam-dbauth. As a result the hostname of the token will bi different. To prevent the module from resolving CNAME, set "resolve_cname_enabled" to False.

### CNAME considerations

Currently, IAM authentication is not supported with CNAMEs. However, this package does CNAME resolution so that the
signed request for a password will work. The issue with this approach is that from the DB library's point of view, the
connection is initiated to the hostname as defined in the settings. If using SSL, certificate verification will fail.
In this case, for PostgreSQL you may want to set `sslmode` to `require` or `verify-ca`.

Further documentation:

* [PostgreSQL SSL modes](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION)
* [AWS guide on IAM DB authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html)