From a89bf566bca9431a7a3308897f75f7e987dea318 Mon Sep 17 00:00:00 2001 From: Gaurav Jain Date: Thu, 5 Mar 2026 09:15:29 -0800 Subject: [PATCH 1/8] feat(php): Add PHP authentication token generation sample Add PHP SDK example for generating Aurora DSQL IAM authentication tokens using Aws\DSQL\AuthTokenGenerator with CredentialProvider::defaultProvider(). Validated against live cluster (us-east-1) with PHP 8.5 + aws/aws-sdk-php v3.371. --- php/authentication/composer.json | 5 +++++ php/authentication/src/generate_token.php | 23 +++++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 php/authentication/composer.json create mode 100644 php/authentication/src/generate_token.php diff --git a/php/authentication/composer.json b/php/authentication/composer.json new file mode 100644 index 00000000..935cd991 --- /dev/null +++ b/php/authentication/composer.json @@ -0,0 +1,5 @@ +{ + "require": { + "aws/aws-sdk-php": "^3.0" + } +} diff --git a/php/authentication/src/generate_token.php b/php/authentication/src/generate_token.php new file mode 100644 index 00000000..f91bf180 --- /dev/null +++ b/php/authentication/src/generate_token.php @@ -0,0 +1,23 @@ +generateDbConnectAdminAuthToken($yourClusterEndpoint, $region); + + echo $token . PHP_EOL; + return $token; +} +// --8<-- [end:php-generate-token] From 3d1f8515031be4c245a34fb2a31c58f2b6c10ff7 Mon Sep 17 00:00:00 2001 From: Gaurav Jain Date: Thu, 5 Mar 2026 09:23:30 -0800 Subject: [PATCH 2/8] test(php): Add PHPUnit integration tests for PHP authentication sample Two tests: - testGenerateTokenReturnsNonEmptyString: verifies token is generated - testTokenCanConnectToCluster: verifies token works for SELECT 1 Both validated against live cluster (us-east-1). Adds GitHub Actions workflow php-authentication-integ-tests.yml following existing workflow patterns. --- .../php-authentication-integ-tests.yml | 64 +++++++++++++++++++ php/authentication/composer.json | 8 +++ php/authentication/phpunit.xml | 11 ++++ php/authentication/test/GenerateTokenTest.php | 42 ++++++++++++ 4 files changed, 125 insertions(+) create mode 100644 .github/workflows/php-authentication-integ-tests.yml create mode 100644 php/authentication/phpunit.xml create mode 100644 php/authentication/test/GenerateTokenTest.php diff --git a/.github/workflows/php-authentication-integ-tests.yml b/.github/workflows/php-authentication-integ-tests.yml new file mode 100644 index 00000000..21f6d0d6 --- /dev/null +++ b/.github/workflows/php-authentication-integ-tests.yml @@ -0,0 +1,64 @@ +name: PHP authentication integration tests + +permissions: {} + +on: + workflow_call: {} + workflow_dispatch: + push: + branches: [ main ] + +jobs: + create-cluster: + uses: ./.github/workflows/dsql-cluster-create.yml + with: + workflow_name: php-authentication + secrets: + AWS_IAM_ROLE: ${{ secrets.PHP_IAM_ROLE }} + permissions: + id-token: write + + php-authentication-integ-test: + needs: create-cluster + runs-on: ubuntu-latest + permissions: + id-token: write + + steps: + - name: Checkout code + uses: actions/checkout@v6 + + - name: Set up PHP + uses: shivammathur/setup-php@v2 + with: + php-version: '8.2' + extensions: pdo_pgsql, pgsql + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ secrets.PHP_IAM_ROLE }} + aws-region: ${{ needs.create-cluster.outputs.region }} + + - name: Install dependencies + working-directory: ./php/authentication + run: composer install --no-interaction + + - name: Run integration tests + working-directory: ./php/authentication + env: + CLUSTER_ENDPOINT: ${{ needs.create-cluster.outputs.cluster-endpoint }} + REGION: ${{ needs.create-cluster.outputs.region }} + run: ./vendor/bin/phpunit + + delete-cluster: + if: always() && needs.create-cluster.result == 'success' + needs: [create-cluster, php-authentication-integ-test] + uses: ./.github/workflows/dsql-cluster-delete.yml + with: + cluster-id: ${{ needs.create-cluster.outputs.cluster-id }} + region: ${{ needs.create-cluster.outputs.region }} + secrets: + AWS_IAM_ROLE: ${{ secrets.PHP_IAM_ROLE }} + permissions: + id-token: write diff --git a/php/authentication/composer.json b/php/authentication/composer.json index 935cd991..6b7f4de1 100644 --- a/php/authentication/composer.json +++ b/php/authentication/composer.json @@ -1,5 +1,13 @@ { "require": { "aws/aws-sdk-php": "^3.0" + }, + "require-dev": { + "phpunit/phpunit": "^11.0" + }, + "autoload": { + "psr-4": { + "Dsql\\": "src/" + } } } diff --git a/php/authentication/phpunit.xml b/php/authentication/phpunit.xml new file mode 100644 index 00000000..74a349ae --- /dev/null +++ b/php/authentication/phpunit.xml @@ -0,0 +1,11 @@ + + + + + test + + + diff --git a/php/authentication/test/GenerateTokenTest.php b/php/authentication/test/GenerateTokenTest.php new file mode 100644 index 00000000..17be16d6 --- /dev/null +++ b/php/authentication/test/GenerateTokenTest.php @@ -0,0 +1,42 @@ +assertNotEmpty($endpoint, 'CLUSTER_ENDPOINT environment variable must be set'); + + $token = generateToken($endpoint, $region); + + $this->assertIsString($token); + $this->assertNotEmpty($token); + } + + public function testTokenCanConnectToCluster(): void + { + $endpoint = getenv('CLUSTER_ENDPOINT'); + $region = getenv('REGION') ?: 'us-east-1'; + + $this->assertNotEmpty($endpoint, 'CLUSTER_ENDPOINT environment variable must be set'); + + $token = generateToken($endpoint, $region); + + $dsn = "pgsql:host={$endpoint};port=5432;dbname=postgres;sslmode=verify-full"; + $pdo = new PDO($dsn, 'admin', $token); + + $stmt = $pdo->query('SELECT 1 AS result'); + $result = $stmt->fetchColumn(); + + $this->assertEquals(1, (int) $result); + } +} From 68f98427cf1af97fe7b67e7328b37de3a4c02308 Mon Sep 17 00:00:00 2001 From: Gaurav Jain Date: Thu, 5 Mar 2026 17:51:18 -0800 Subject: [PATCH 3/8] ci: trigger re-run From 31b1e8b06889c468ff323732c59f1f04eed2c56b Mon Sep 17 00:00:00 2001 From: Gaurav Jain Date: Thu, 5 Mar 2026 18:14:23 -0800 Subject: [PATCH 4/8] ci: Wire php-authentication into ci-gate.yml --- .github/workflows/ci-gate.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/ci-gate.yml b/.github/workflows/ci-gate.yml index e1b247aa..c928f65a 100644 --- a/.github/workflows/ci-gate.yml +++ b/.github/workflows/ci-gate.yml @@ -26,6 +26,7 @@ jobs: javascript-node-postgres: ${{ steps.detect.outputs.javascript-node-postgres }} javascript-postgresjs: ${{ steps.detect.outputs.javascript-postgresjs }} lambda-nodejs: ${{ steps.detect.outputs.lambda-nodejs }} + php-authentication: ${{ steps.detect.outputs.php-authentication }} python-asyncpg: ${{ steps.detect.outputs.python-asyncpg }} python-cm: ${{ steps.detect.outputs.python-cm }} python-psycopg2: ${{ steps.detect.outputs.python-psycopg2 }} @@ -56,6 +57,7 @@ jobs: 'javascript-node-postgres': ['javascript/node-postgres/', '.github/workflows/javascript-node-postgres-integ-tests.yml'], 'javascript-postgresjs': ['javascript/postgres-js/', '.github/workflows/javascript-postgresjs-integ-tests.yml'], 'lambda-nodejs': ['lambda/', '.github/workflows/lambda-nodejs-integ-tests.yml'], + 'php-authentication': ['php/authentication/', '.github/workflows/php-authentication-integ-tests.yml'], 'python-asyncpg': ['python/asyncpg/', '.github/workflows/python-asyncpg-integ-tests.yml'], 'python-cm': ['python/cluster_management/', '.github/workflows/python-cm-integ-tests.yml'], 'python-psycopg2': ['python/psycopg2/', '.github/workflows/python-psycopg2-integ-tests.yml'], @@ -217,6 +219,14 @@ jobs: permissions: id-token: write # required by aws-actions/configure-aws-credentials + php-authentication: + needs: changes + if: needs.changes.outputs.php-authentication == 'true' + uses: ./.github/workflows/php-authentication-integ-tests.yml + secrets: inherit + permissions: + id-token: write # required by aws-actions/configure-aws-credentials + python-asyncpg: needs: changes if: needs.changes.outputs.python-asyncpg == 'true' @@ -324,6 +334,7 @@ jobs: - javascript-node-postgres - javascript-postgresjs - lambda-nodejs + - php-authentication - python-asyncpg - python-cm - python-psycopg2 From ec17912ad71624a39c7ff0e8a6a3ecaf17e81b77 Mon Sep 17 00:00:00 2001 From: Gaurav Jain Date: Thu, 5 Mar 2026 18:15:58 -0800 Subject: [PATCH 5/8] ci: Use PYTHON_IAM_ROLE for PHP authentication tests --- .github/workflows/php-authentication-integ-tests.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/php-authentication-integ-tests.yml b/.github/workflows/php-authentication-integ-tests.yml index 21f6d0d6..b8040dd2 100644 --- a/.github/workflows/php-authentication-integ-tests.yml +++ b/.github/workflows/php-authentication-integ-tests.yml @@ -14,7 +14,7 @@ jobs: with: workflow_name: php-authentication secrets: - AWS_IAM_ROLE: ${{ secrets.PHP_IAM_ROLE }} + AWS_IAM_ROLE: ${{ secrets.PYTHON_IAM_ROLE }} permissions: id-token: write @@ -37,7 +37,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v6 with: - role-to-assume: ${{ secrets.PHP_IAM_ROLE }} + role-to-assume: ${{ secrets.PYTHON_IAM_ROLE }} aws-region: ${{ needs.create-cluster.outputs.region }} - name: Install dependencies @@ -59,6 +59,6 @@ jobs: cluster-id: ${{ needs.create-cluster.outputs.cluster-id }} region: ${{ needs.create-cluster.outputs.region }} secrets: - AWS_IAM_ROLE: ${{ secrets.PHP_IAM_ROLE }} + AWS_IAM_ROLE: ${{ secrets.PYTHON_IAM_ROLE }} permissions: id-token: write From d64923497273e4bdd63a71831322c7db61d2670e Mon Sep 17 00:00:00 2001 From: Gaurav Jain Date: Thu, 5 Mar 2026 18:16:54 -0800 Subject: [PATCH 6/8] ci: Remove shivammathur/setup-php, use runner built-in PHP --- .github/workflows/php-authentication-integ-tests.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/php-authentication-integ-tests.yml b/.github/workflows/php-authentication-integ-tests.yml index b8040dd2..568f1df8 100644 --- a/.github/workflows/php-authentication-integ-tests.yml +++ b/.github/workflows/php-authentication-integ-tests.yml @@ -28,12 +28,6 @@ jobs: - name: Checkout code uses: actions/checkout@v6 - - name: Set up PHP - uses: shivammathur/setup-php@v2 - with: - php-version: '8.2' - extensions: pdo_pgsql, pgsql - - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v6 with: From d4affb9c13e3b081e965129e124d8412a3a2d0db Mon Sep 17 00:00:00 2001 From: Gaurav Jain Date: Thu, 5 Mar 2026 18:18:18 -0800 Subject: [PATCH 7/8] ci: Enable pdo_pgsql extension on runner --- .github/workflows/php-authentication-integ-tests.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/php-authentication-integ-tests.yml b/.github/workflows/php-authentication-integ-tests.yml index 568f1df8..3fabe805 100644 --- a/.github/workflows/php-authentication-integ-tests.yml +++ b/.github/workflows/php-authentication-integ-tests.yml @@ -28,6 +28,9 @@ jobs: - name: Checkout code uses: actions/checkout@v6 + - name: Enable pdo_pgsql extension + run: sudo phpenmod pdo_pgsql + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v6 with: From 60fc2ceebee7455b234c47b421c7d2cb61c2d6f7 Mon Sep 17 00:00:00 2001 From: Gaurav Jain Date: Thu, 5 Mar 2026 18:22:35 -0800 Subject: [PATCH 8/8] fix: Use sslrootcert=system for SSL verification in tests --- php/authentication/test/GenerateTokenTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/php/authentication/test/GenerateTokenTest.php b/php/authentication/test/GenerateTokenTest.php index 17be16d6..cbbed0c1 100644 --- a/php/authentication/test/GenerateTokenTest.php +++ b/php/authentication/test/GenerateTokenTest.php @@ -31,7 +31,7 @@ public function testTokenCanConnectToCluster(): void $token = generateToken($endpoint, $region); - $dsn = "pgsql:host={$endpoint};port=5432;dbname=postgres;sslmode=verify-full"; + $dsn = "pgsql:host={$endpoint};port=5432;dbname=postgres;sslmode=verify-full;sslrootcert=system"; $pdo = new PDO($dsn, 'admin', $token); $stmt = $pdo->query('SELECT 1 AS result');