---
# this manifest contains a version with the IRSA connection check
apiVersion: batch/v1
kind: Job
metadata:
name: postgres-client
labels:
app: postgres-client
spec:
backoffLimit: 0
template:
spec:
serviceAccountName: aurora-access-sa
restartPolicy: Never
containers:
- name: postgres-client
image: amazonlinux:latest
command:
- sh
- -c
- |
/bin/bash <<'EOF'
set -o pipefail
echo "Installing dependencies..."
yum install -y postgresql15 awscli-2
echo "Creating IRSA db user using admin user"
psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \
-c "CREATE USER \"${AURORA_USERNAME_IRSA}\" WITH LOGIN;" \
-c "GRANT rds_iam TO \"${AURORA_USERNAME_IRSA}\";" \
-c "GRANT ALL PRIVILEGES ON DATABASE \"${AURORA_DB_NAME}\" TO \"${AURORA_USERNAME_IRSA}\";" \
-c "SELECT aurora_version();" \
-c "SELECT version();" -c "\du"
# Attempt unauthenticated access to the Aurora PostgreSQL database, expecting a failure
if ! psql -h "$AURORA_ENDPOINT" \
-p "$AURORA_PORT" \
"sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME_IRSA password=$AWS_PG_PASSWORD" \
-c 'SELECT version();' 2>/dev/null; then
echo "Unauthenticated access failed as expected."
else
echo "Unauthenticated access did not fail as expected, check the configuration."
exit 1
fi
echo "Testing connection using IRSA"
export AWS_PG_PASSWORD=$(aws rds generate-db-auth-token --hostname $AURORA_ENDPOINT --port $AURORA_PORT \
--region $AWS_REGION --username $AURORA_USERNAME_IRSA)
psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME_IRSA password=$AWS_PG_PASSWORD" \
-c 'SELECT version();'
EOF
env:
- name: AURORA_ENDPOINT
valueFrom:
configMapKeyRef:
name: aurora-config
key: aurora_endpoint
- name: AURORA_USERNAME
valueFrom:
configMapKeyRef:
name: aurora-config
key: aurora_username
- name: AURORA_USERNAME_IRSA
valueFrom:
configMapKeyRef:
name: aurora-config
key: aurora_username_irsa
- name: AURORA_PASSWORD
valueFrom:
secretKeyRef:
name: aurora-secret
key: aurora_password
- name: AURORA_PORT
valueFrom:
configMapKeyRef:
name: aurora-config
key: aurora_port
- name: AWS_REGION
valueFrom:
configMapKeyRef:
name: aurora-config
key: aws_region
- name: AURORA_DB_NAME
valueFrom:
configMapKeyRef:
name: aurora-config
key: aurora_db_name