Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/tools/redis-tests/elasticache
History
Scott Gress 602f5a470b
Feat 1817 add iam auth to mysql and redis (#32488) 
for #1817 

# Details

This PR gives Fleet servers the ability to connect to RDS MySQL and
Elasticache Redis via AWS [Identity and Access Management
(IAM)](https://aws.amazon.com/iam/). It is based almost entirely on the
work of @titanous, branched from his [original pull
request](https://github.com/fleetdm/fleet/pull/31075). The main
differences between his branch and this are:

1. Removal of auto-detection of AWS region (and cache name for
Elasticache) in favor of specifying these values in configuration. The
auto-detection is admittedly handy but parsing AWS host URLs is not
considered a best practice.
2. Relying on the existence of these new configs to determine whether or
not to connect via IAM. This sidesteps a thorny issue of whether to try
an IAM-based Elasticache connection when a password is not supplied,
since this is technically a valid setup.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually - besides using
@titanous's excellent test tool, I verified the following end-to-end:
  - [X] regular (non RDS) MySQL connection
  - [X] RDS MySQL connection using username/password
  - [X] RDS MySQL connection using IAM (no role)
  - [X] RDS MySQL connection using IAM (assuming role)
  - [X] regular (non Elasticache) Redis connection
  - [X] Elasticache Redis connection using username/password
  - [X] Elasticache Redis connection using NO password (without IAM)
  - [X] Elasticache Redis connection using IAM (no role)
  - [X] Elasticache Redis connection using IAM (assuming role)

---------

Co-authored-by: Jonathan Rudenberg <jonathan@titanous.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
2025-09-04 10:08:47 -05:00
..
cf-template.yaml Feat 1817 add iam auth to mysql and redis (#32488) 2025-09-04 10:08:47 -05:00
cleanup-test-env.sh Feat 1817 add iam auth to mysql and redis (#32488) 2025-09-04 10:08:47 -05:00
deploy-test-env.sh Feat 1817 add iam auth to mysql and redis (#32488) 2025-09-04 10:08:47 -05:00
iam_auth.go Feat 1817 add iam auth to mysql and redis (#32488) 2025-09-04 10:08:47 -05:00
README.md Feat 1817 add iam auth to mysql and redis (#32488) 2025-09-04 10:08:47 -05:00

README.md

ElastiCache IAM Authentication Test Tools

This directory contains tools for testing Fleet's ElastiCache IAM authentication implementation.

Prerequisites

  • AWS CLI configured with appropriate credentials (via AWS_PROFILE or AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY)

Usage

1. Deploy Test Environment

# Set AWS credentials and region
export AWS_PROFILE=your-profile  # or use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
export AWS_REGION=us-east-2

# Deploy the test environment
./deploy-test-env.sh

This creates:

  • VPC with subnets and security groups
  • EC2 instance for running tests
  • ElastiCache Serverless instance with IAM auth
  • ElastiCache Standalone replication group with IAM auth
  • IAM users and roles for authentication

2. Clean Up

./cleanup-test-env.sh

This will destroy the AWS resources.