We have a SAM-generated API-Gateway - Lambda integration stack that needs to access an RDS Database (Postgres).
SAM is creating the necessary CF template with the custom role and attendant policies for our functions: ('AWSLambdaVPCAccessExecutionRole' & 'AmazonRDSReadOnlyAccess')
We've configured the functions that need to connect to the DB with the subnetIDs and security Group of the DBs VPC and are attempting to connect using IAM authentication.
We've created the PG user account in the target DB with rds_admin role grant as per: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html
What we are not able to do is to connect to the RDS DB using the AWS SDK for Go.
It looks like the role ARN is a requirement to do so:
from the docs, link here: https://docs.aws.amazon.com/sdk-for-go/api/service/rds/rdsutils/
authToken, err := BuildAuthToken(dbEndpoint, awsRegion, dbUser, awsCreds)
// Create the MySQL DNS string for the DB connection
// user:password@protocol(endpoint)/dbname?<params>
connectStr = fmt.Sprintf("%s:%s@tcp(%s)/%s?allowCleartextPasswords=true&tls=rds",
dbUser, authToken, dbEndpoint, dbName,
)
// Use db to perform SQL operations on database
db, err := sql.Open("mysql", connectStr)
..except we'd use a Postgres connection string.
But without creating a 'long-form' CFN template and passing the roleARN as an environment variable to our lambda function we can't work out how to configure the SDK to assume the same role as the executing lambda function.
If anyone can help work this out with me I'd be very grateful!
Thanks in advance