Is your feature request related to a problem? Please describe.
Generated SQL schemas currently use configure({ database }) to store database connection metadata:
export const schema = configure({
database: {
identifier: "IDYufuVoPi8Po1obyjhhITYQ",
engine: "postgresql",
connectionUri: secret("SQL_CONNECTION_STRING")
}
}).schema({
// models...
});
This works for password-based connection URIs such as:
postgres://user:password@hostname:port/database
However, there is currently no explicit way to represent a database connection that uses RDS IAM database authentication instead of a static password.
This is needed for use cases such as Aurora PostgreSQL Express configuration, where the connection may rely on IAM auth tokens rather than a password in the connection URI.
Describe the solution you'd like
I would like configure({ database }) to support an optional authentication strategy field.
For example:
export const schema = configure({
database: {
identifier: "IDYufuVoPi8Po1obyjhhITYQ",
engine: "postgresql",
connectionUri: secret("SQL_CONNECTION_STRING"),
authentication: {
strategy: "rdsIam"
}
}
}).schema({
// models...
});
When authentication is omitted, the current behavior should remain unchanged and default to password-based authentication.
When authentication.strategy === "rdsIam", downstream packages should be able to understand that:
- the database uses RDS IAM authentication;
connectionUri may omit the password;
connectionUri still provides host, port, database name, and username.
This issue is only about allowing @aws-amplify/data-schema to express this metadata. Runtime support, such as generating IAM auth tokens and configuring IAM permissions, would be handled in downstream packages.
Describe alternatives you've considered
One alternative is to encode the auth mode in the URI, for example:
postgres+iam://postgres@hostname:5432/database
However, an explicit typed field is clearer and easier for downstream packages (https://github.com/aws-amplify/amplify-category-api) to consume.
Another alternative is to manually edit generated schema.sql.ts files, but those files are autogenerated and would be overwritten.
Additional context
This is motivated by supporting Aurora PostgreSQL Express configuration and other RDS PostgreSQL setups that use IAM database authentication.
The goal is to extend the existing database metadata shape in a backward-compatible way:
configure({
database: {
identifier,
engine,
connectionUri,
vpcConfig,
authentication // optional
}
})
A companion issue may be needed in amplify-category-api or other backend/runtime packages to consume this metadata and implement the actual RDS IAM authentication behavior.
Is your feature request related to a problem? Please describe.
Generated SQL schemas currently use
configure({ database })to store database connection metadata:This works for password-based connection URIs such as:
However, there is currently no explicit way to represent a database connection that uses RDS IAM database authentication instead of a static password.
This is needed for use cases such as Aurora PostgreSQL Express configuration, where the connection may rely on IAM auth tokens rather than a password in the connection URI.
Describe the solution you'd like
I would like
configure({ database })to support an optional authentication strategy field.For example:
When
authenticationis omitted, the current behavior should remain unchanged and default to password-based authentication.When
authentication.strategy === "rdsIam", downstream packages should be able to understand that:connectionUrimay omit the password;connectionUristill provides host, port, database name, and username.This issue is only about allowing
@aws-amplify/data-schemato express this metadata. Runtime support, such as generating IAM auth tokens and configuring IAM permissions, would be handled in downstream packages.Describe alternatives you've considered
One alternative is to encode the auth mode in the URI, for example:
However, an explicit typed field is clearer and easier for downstream packages (https://github.com/aws-amplify/amplify-category-api) to consume.
Another alternative is to manually edit generated
schema.sql.tsfiles, but those files are autogenerated and would be overwritten.Additional context
This is motivated by supporting Aurora PostgreSQL Express configuration and other RDS PostgreSQL setups that use IAM database authentication.
The goal is to extend the existing database metadata shape in a backward-compatible way:
A companion issue may be needed in
amplify-category-apior other backend/runtime packages to consume this metadata and implement the actual RDS IAM authentication behavior.