promenadeco/doctrine-aws-auth
Composer 安装命令:
composer require promenadeco/doctrine-aws-auth
包简介
RDS authentication using IAM for Doctrine DBAL/ORM
README 文档
README
This library provides Amazon RDS database authentication using IAM for Doctrine DBAL / ORM.
Features:
- RDS auth via IAM using short-lived tokens
- Token caching (for 10 min by default)
- Support of EC2 and ECS environments
- Support of PDO and MySQLi drivers
Usage
Install the package using Composer:
composer require promenadeco/doctrine-aws-auth
Enable IAM authentication in cleartext using the following environment variables:
AWS_REGION=us-east-1 RDS_USE_IAM=1 LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1
Doctrine ORM
Register the DBAL driver middleware in Doctrine ORM:
use Doctrine\ORM\EntityManager; use Doctrine\ORM\ORMSetup; use Promenade\Doctrine\Aws\Auth\Driver\IamMiddleware; use Promenade\Doctrine\Aws\Auth\Token\RdsToken; // ... $ormConfig = ORMSetup::createAnnotationMetadataConfiguration([ 'src/Entity', ]); $tokenProvider = new RdsToken(); $ormConfig->setMiddlewares([ new IamMiddleware($tokenProvider), ]); $entityManager = EntityManager::create( [ 'host' => 'example-db.abcdefghijkl.us-east-1.rds.amazonaws.com', 'port' => 3306, 'user' => 'iam_user', 'dbname' => 'test_db', 'driver' => 'pdo_mysql', 'driverOptions' => [ PDO::MYSQL_ATTR_SSL_CA => '/etc/ssl/certs/ca-certificates.crt', PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false ], ], $ormConfig );
Encryption
Connection encryption is necessary to secure transmission of credentials as cleartext.
The SSL configuration differs between drivers, for example:
[
// ...
'driver' => 'mysqli',
'driverOptions' => [
'flags' => MYSQLI_CLIENT_SSL,
],
]
Caching
Activate token caching to stay within rate limits and improve performance:
use Promenade\Doctrine\Aws\Auth\Token\CachingProxy; // ... $tokenProvider = new CachingProxy($tokenProvider, $ormConfig->getMetadataCache());
By default, tokens are good for 15 min and are cached for 10 min to be renewed well ahead of their expiration.
Symfony
Register the DBAL driver middleware in config/services.yaml:
services: Promenade\Doctrine\Aws\Auth\Token\TokenProvider: class: Promenade\Doctrine\Aws\Auth\Token\RdsToken Promenade\Doctrine\Aws\Auth\Driver\IamMiddleware: tags: ['doctrine.middleware']
Caching
Activate the token caching and adjust its lifetime as needed:
services: Promenade\Doctrine\Aws\Auth\Driver\IamMiddleware: arguments: $tokenProvider: '@Promenade\Doctrine\Aws\Auth\Token\CachingProxy' Promenade\Doctrine\Aws\Auth\Token\RdsToken: arguments: $lifetime: 15 Promenade\Doctrine\Aws\Auth\Token\CachingProxy: arguments: $lifetime: 14
Make sure tokens are valid some time beyond their cache expiration to compensate for potential clock drift.
Limitations
IAM authentication relies on database client sending credentials in cleartext without hashing.
The implementation has only been tested on MySQL. Other RDBMS may have their own unique limitations.
Resources
Related resources with useful information:
- sators/connect.php
- lead/doctrine-rds-iam-auth
- AWS Documentation
- AWS Knowledge Center
- AWS User Guide
- MySQL Documentation
Contributing
Pull Requests with fixes and improvements are welcome!
License
Copyright © Promenade Group. All rights reserved.
Licensed under the Apache License, Version 2.0.
promenadeco/doctrine-aws-auth 适用场景与选型建议
promenadeco/doctrine-aws-auth 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 19.24k 次下载、GitHub Stars 达 6, 最近一次更新时间为 2022 年 06 月 16 日, 在 PHP 生态内属于活跃度较高的组件。
我们在过去多个企业项目中使用过 promenadeco/doctrine-aws-auth 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 promenadeco/doctrine-aws-auth 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
统计信息
- 总下载量: 19.24k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 6
- 点击次数: 19
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: Apache-2.0
- 更新时间: 2022-06-16