Dynamic credentials support for SQL components #2566
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, there is no way to change the credentials used by any of the SQL components without updating the configuration and restarting the stream. This is a problem for use cases where credentials must be rotated on a regular basis (AWS RDS IAM, CockroachDB JWT, Hashicorp Vault temporary credentials).
To resolve this, I have implemented an additional
dynamic_credentials
configuration block supported by all SQL components (other than deprecated ones). This property allows specifying a cache resource and a key with which to retrieve credentialing information. The value stored in this key is used to supply interpolation parameters to the dsn field, which has now been made dynamic. The cache is queried and the dsn is regenerated when a new connection is created. Init statements and files are only run once, and are not reapplied when creating a new connection. This has the advantage of working with all drivers, regardless of underlying implementation. A side effect of this approach is that idle connections with stale credentials are not proactively removed. The settingsconn_max_idle
andconn_max_idle_time
can be used counteract this based on use case requirements.Example:
This setup can pair well with the
cached
processor to refresh credentials on a regular interval.In principle, you could use this field to template any value in the DSN including database/settings/port/hostname or really anything that doesn't require changing the driver.
However, this is not the intention since this could lead to unintended consequences as initialization options are only run once.
The name
dynamic_credentials
is chosen intentionally as this is the intended purpose.