new database per microservice

[williamputraintan]

A mechanism to create database names for each microsrvice and remove passing master secret to stateless stack

Ref: #92 (comment)

[andrewpatto]

The "best" mechanism to truly restrict access is RDS IAM - but that isn't normal db connection strings. It has to be enabled in the database etc and the connection strings are like v4 pre-signed strings.
So if you have a lot of control over your clients then that is the best - and then in that case the IAM permissions for the microservice can have conditionals etc down to the database (not just instance) level.

Is hard to wedge it in where you don't have control over the client lifecycle (Edgedb for instance? Though that has enough hooks that it might work)

[andrewpatto]

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html

[andrewpatto]

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "rds-db:connect",
            "Resource": "arn:aws:rds-db:*:ACCOUNT_ID:dbuser:*/*_ro"
        }
    ]
}

[andrewpatto]

I mention it because at this level you don't use secrets at all

[williamputraintan]

So I think one of the downside of having this RDS-IAM is that the token used for the authentication needs to be refreshed every 15 minutes, in the case of EdgeDb I am not sure whether we could set up a refresh mechanism from the EdgeDb server itself as we usually pass in the postgres DSN at the environment variable. (I guess possible could have like a cron job and parameter store to make it work?)

[andrewpatto]

Yes 100% agree it wouldn't currently make sense for EdgeDb (I was tempted to actually put a ticket in to the edgedb folks themselves).
I thought this was broadly also about other direct accesses to the postgres though - which possibly could use this technique? (like filemanager etc)?