Add support for AWS RDS IAM authentication

This change adds support for AWS' RDS IAM authentication
feature: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html

The READMEs have been with details on how to configure this exporter
for use with RDS IAM.

Author: kppullin-nt

Dockerfile

@@ -1,6 +1,12 @@
 FROM debian:10-slim
 RUN useradd -u 20001 postgres_exporter
 
+# Install certs and create home directory needed by the AWS SDK
+RUN apt update && apt install ca-certificates -y \
+  && mkdir /home/postgres_exporter \
+  && chown postgres_exporter:postgres_exporter /home/postgres_exporter \
+  && rm -rf /var/lib/{apt,dpkg,cache,log}/
+
 USER postgres_exporter
 
 ARG binary

README-RDS.md

@@ -36,3 +36,21 @@ Running postgres-exporter in a container like so:
   ```
 + lastly, you must reboot the RDS instance.
 
+### AWS RDS IAM Authentication
+
+To use [AWS RDS IAM Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html)
+set the data source password to the magic value `AWS_RDS_IAM_AUTH`.
+
+An AWS session is constructed using the default providers of the `aws-go-sdk` and should work will all common
+configuration options. Using EC2 IAM roles and `AWS_WEB_IDENTITY_TOKEN_FILE`s, via IAM Roles for Service Accounts,
+are specifically known to work.
+
+Troubleshooting:
+ - Do not set `sslmode=disabled`
+ - Set the `AWS_REGION` environment variable if the running instance does not have access to the EC2 metadata endpoint
+ - If using `AWS_WEB_IDENTITY_TOKEN_FILE` with kubernetes you likely need to configure your deployment to set the
+    `securityContext`s `fsGroup` value to `20001` (the ID set for the `postgres_exporter` user in the Dockerfile).
+    ```
+         securityContext:
+               fsGroup: 20001
+   ```

README.md

@@ -228,6 +228,8 @@ ALTER USER postgres_exporter SET SEARCH_PATH TO postgres_exporter,pg_catalog;
 -- If deploying as non-superuser (for example in AWS RDS), uncomment the GRANT
 -- line below and replace <MASTER_USER> with your root user.
 -- GRANT postgres_exporter TO <MASTER_USER>;
+-- If using AWS RDS IAM authentication, uncomment the line below
+-- GRANT rds_iam TO postgres_exporter;
 CREATE SCHEMA IF NOT EXISTS postgres_exporter;
 GRANT USAGE ON SCHEMA postgres_exporter TO postgres_exporter;
 GRANT CONNECT ON DATABASE postgres TO postgres_exporter;

cmd/postgres_exporter/dsn_factories.go

@@ -0,0 +1,85 @@
+package main
+
+import (
+	"github.com/aws/aws-sdk-go/aws/ec2metadata"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/rds/rdsutils"
+	"net/url"
+	"os"
+)
+
+// DsnFactory creates DSNs
+type DsnFactory interface {
+	// Creates a new DSN
+	NewDsn() (string, error)
+
+	// Return a stable, valid, & parsable DSN value for logging, map keys, etc.
+	DsnID() string
+}
+
+// RawDsnFactory is a no-op factory that returns the original 'raw' DSN.
+type RawDsnFactory struct {
+	dsn string
+}
+
+// DsnID returns the original DSN
+func (f *RawDsnFactory) DsnID() string {
+	return f.dsn
+}
+
+// NewDsn returns the original DSN. No mutations are required DSNs created by the RawDsnFactory
+func (f *RawDsnFactory) NewDsn() (string, error) {
+	return f.dsn, nil
+}
+
+// AwsRdsIamFactory generates a DSN configured with AWS RDS IAM authentication credentials
+type AwsRdsIamFactory struct {
+	dsn string
+}
+
+// DsnID returns the original DSN. The password is _not_ replaced with an AWS RDS IAM generated password token
+func (f *AwsRdsIamFactory) DsnID() string {
+	return f.dsn
+}
+
+// NewDsn builds a new DSN with the password set to one obtained from the AWS RDS IAM token API
+func (f *AwsRdsIamFactory) NewDsn() (string, error) {
+	var err error
+	var sess *session.Session
+	sess, err = session.NewSession()
+	if err != nil {
+		return "", err
+	}
+
+	var u *url.URL
+	u, err = url.Parse(f.dsn)
+	if err != nil {
+		return "", err
+	}
+
+	region := *sess.Config.Region
+
+	if len(region) == 0 {
+		if len(os.Getenv("AWS_REGION")) > 0 {
+			region = os.Getenv("AWS_REGION")
+		} else {
+			var r string
+			r, err = ec2metadata.New(sess).Region()
+
+			if err != nil {
+				return "", err
+			}
+			region = r
+		}
+	}
+
+	var token string
+	token, err = rdsutils.BuildAuthToken(u.Host, region, u.User.Username(), sess.Config.Credentials)
+	if err != nil {
+		return "", err
+	}
+
+	u.User = url.UserPassword(u.User.Username(), token)
+
+	return u.String(), nil
+}

cmd/postgres_exporter/postgres_exporter.go

@@ -950,8 +950,9 @@ func NewServers(opts ...ServerOpt) *Servers {
 	}
 }
 
-// GetServer returns established connection from a collection.
-func (s *Servers) GetServer(dsn string) (*Server, error) {
+// GetServer returns established connection from a collection. If a connection
+// is invalid a new connection is established.
+func (s *Servers) GetServer(dsnID string, dsn string) (*Server, error) {
 	s.m.Lock()
 	defer s.m.Unlock()
 	var err error
@@ -963,17 +964,17 @@ func (s *Servers) GetServer(dsn string) (*Server, error) {
 		if errCount++; errCount > retries {
 			return nil, err
 		}
-		server, ok = s.servers[dsn]
+		server, ok = s.servers[dsnID]
 		if !ok {
 			server, err = NewServer(dsn, s.opts...)
 			if err != nil {
 				time.Sleep(time.Duration(errCount) * time.Second)
 				continue
 			}
-			s.servers[dsn] = server
+			s.servers[dsnID] = server
 		}
 		if err = server.Ping(); err != nil {
-			delete(s.servers, dsn)
+			delete(s.servers, dsnID)
 			time.Sleep(time.Duration(errCount) * time.Second)
 			continue
 		}
@@ -1002,7 +1003,7 @@ type Exporter struct {
 	disableDefaultMetrics, disableSettingsMetrics, autoDiscoverDatabases bool
 
 	excludeDatabases []string
-	dsn              []string
+	dsnFactories     []DsnFactory
 	userQueriesPath  string
 	constantLabels   prometheus.Labels
 	duration         prometheus.Gauge
@@ -1088,9 +1089,9 @@ func parseConstLabels(s string) prometheus.Labels {
 }
 
 // NewExporter returns a new PostgreSQL exporter for the provided DSN.
-func NewExporter(dsn []string, opts ...ExporterOpt) *Exporter {
+func NewExporter(dsnFactories []DsnFactory, opts ...ExporterOpt) *Exporter {
 	e := &Exporter{
-		dsn:               dsn,
+		dsnFactories:      dsnFactories,
 		builtinMetricMaps: builtinMetricMaps,
 	}
 
@@ -1459,18 +1460,33 @@ func (e *Exporter) scrape(ch chan<- prometheus.Metric) {
 
 	e.totalScrapes.Inc()
 
-	dsns := e.dsn
+	var errorsCount int
+	var dsns map[string]string
+
+	dsnFactories := e.dsnFactories
+
 	if e.autoDiscoverDatabases {
 		dsns = e.discoverDatabaseDSNs()
+	} else {
+		dsns = make(map[string]string)
+		for _, dsnFactory := range dsnFactories {
+			dsn, err := dsnFactory.NewDsn()
+
+			if err != nil {
+				log.Errorf("Unable to create dsn (%s): %v", loggableDSN(dsnFactory.DsnID()), err)
+
+				errorsCount++
+			} else {
+				dsns[dsnFactory.DsnID()] = dsn
+			}
+		}
 	}
 
-	var errorsCount int
 	var connectionErrorsCount int
 
-	for _, dsn := range dsns {
-		if err := e.scrapeDSN(ch, dsn); err != nil {
+	for dsnID, dsn := range dsns {
+		if err := e.scrapeDSN(ch, dsnID, dsn); err != nil {
 			errorsCount++
-
 			log.Errorf(err.Error())
 
 			if _, ok := err.(*ErrorConnectToServer); ok {
@@ -1494,17 +1510,31 @@ func (e *Exporter) scrape(ch chan<- prometheus.Metric) {
 	}
 }
 
-func (e *Exporter) discoverDatabaseDSNs() []string {
-	dsns := make(map[string]struct{})
-	for _, dsn := range e.dsn {
-		parsedDSN, err := url.Parse(dsn)
+func (e *Exporter) discoverDatabaseDSNs() map[string]string {
+	dsns := make(map[string]string)
+	for _, dsnFactory := range e.dsnFactories {
+		dsnID := dsnFactory.DsnID()
+		dsn, err := dsnFactory.NewDsn()
+		if err != nil {
+			log.Errorf("Unable to create DSN (%s): %v", loggableDSN(dsnFactory.DsnID()), err)
+		}
+
+		// Validate the DSN returned from the factory
+		parsedDsn, err := url.Parse(dsn)
 		if err != nil {
 			log.Errorf("Unable to parse DSN (%s): %v", loggableDSN(dsn), err)
 			continue
 		}
 
-		dsns[dsn] = struct{}{}
-		server, err := e.servers.GetServer(dsn)
+		// Validate and DSN Id assigned to the factory
+		parsedDsnID, err := url.Parse(dsnID)
+		if err != nil {
+			log.Errorf("Unable to parse DSN Id (%s): %v", loggableDSN(dsnID), err)
+			continue
+		}
+
+		dsns[dsnID] = dsn
+		server, err := e.servers.GetServer(dsnID, dsn)
 		if err != nil {
 			log.Errorf("Error opening connection to database (%s): %v", loggableDSN(dsn), err)
 			continue
@@ -1522,23 +1552,19 @@ func (e *Exporter) discoverDatabaseDSNs() []string {
 			if contains(e.excludeDatabases, databaseName) {
 				continue
 			}
-			parsedDSN.Path = databaseName
-			dsns[parsedDSN.String()] = struct{}{}
-		}
-	}
 
-	result := make([]string, len(dsns))
-	index := 0
-	for dsn := range dsns {
-		result[index] = dsn
-		index++
+			parsedDsn.Path = databaseName
+			parsedDsnID.Path = databaseName
+
+			dsns[parsedDsnID.String()] = parsedDsn.String()
+		}
 	}
 
-	return result
+	return dsns
 }
 
-func (e *Exporter) scrapeDSN(ch chan<- prometheus.Metric, dsn string) error {
-	server, err := e.servers.GetServer(dsn)
+func (e *Exporter) scrapeDSN(ch chan<- prometheus.Metric, dsnID string, dsn string) error {
+	server, err := e.servers.GetServer(dsnID, dsn)
 
 	if err != nil {
 		return &ErrorConnectToServer{fmt.Sprintf("Error opening connection to database (%s): %s", loggableDSN(dsn), err.Error())}
@@ -1561,9 +1587,12 @@ func (e *Exporter) scrapeDSN(ch chan<- prometheus.Metric, dsn string) error {
 // DATA_SOURCE_NAME always wins so we do not break older versions
 // reading secrets from files wins over secrets in environment variables
 // DATA_SOURCE_NAME > DATA_SOURCE_{USER|PASS}_FILE > DATA_SOURCE_{USER|PASS}
-func getDataSources() []string {
+func getDataSources() []DsnFactory {
 	var dsn = os.Getenv("DATA_SOURCE_NAME")
-	if len(dsn) == 0 {
+	var dsns []string
+	if len(dsn) > 0 {
+		dsns = strings.Split(dsn, ",")
+	} else {
 		var user string
 		var pass string
 		var uri string
@@ -1602,9 +1631,23 @@ func getDataSources() []string {
 
 		dsn = "postgresql://" + ui + "@" + uri
 
-		return []string{dsn}
+		dsns = []string{dsn}
+	}
+
+	dsnFactories := make([]DsnFactory, 0, len(dsns))
+	for _, dsn := range dsns {
+		u, _ := url.Parse(dsn)
+
+		if pw, set := u.User.Password(); set && pw == "AWS_RDS_IAM_AUTH" {
+			log.Infof("Building AwsRdsIamFactory for %s", loggableDSN(dsn))
+			dsnFactories = append(dsnFactories, &AwsRdsIamFactory{dsn: dsn})
+		} else {
+			log.Infof("Building RawDsnFactory for %s", loggableDSN(dsn))
+			dsnFactories = append(dsnFactories, &RawDsnFactory{dsn: dsn})
+		}
 	}
-	return strings.Split(dsn, ",")
+
+	return dsnFactories
 }
 
 func contains(a []string, x string) bool {
@@ -1637,12 +1680,12 @@ func main() {
 		return
 	}
 
-	dsn := getDataSources()
-	if len(dsn) == 0 {
+	dsnFactories := getDataSources()
+	if len(dsnFactories) == 0 {
 		log.Fatal("couldn't find environment variables describing the datasource to use")
 	}
 
-	exporter := NewExporter(dsn,
+	exporter := NewExporter(dsnFactories,
 		DisableDefaultMetrics(*disableDefaultMetrics),
 		DisableSettingsMetrics(*disableSettingsMetrics),
 		AutoDiscoverDatabases(*autoDiscoverDatabases),