Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@aws-sdk/rds-signer
Advanced tools
RDS utility for generating a password that can be used for IAM authentication to an RDS DB.
@aws-sdk/rds-signer is an AWS SDK package that allows you to generate an authentication token for connecting to an Amazon RDS database. This token can be used in place of a password when connecting to the database, providing a secure way to authenticate without hardcoding credentials.
Generate Authentication Token
This feature allows you to generate an authentication token for connecting to an Amazon RDS database. The token can be used in place of a password, providing a secure way to authenticate without hardcoding credentials.
const { RDSClient, CreateDBInstanceCommand } = require('@aws-sdk/client-rds');
const { RDSAuthTokenGenerator } = require('@aws-sdk/rds-signer');
const client = new RDSClient({ region: 'us-west-2' });
const signer = new RDSAuthTokenGenerator(client);
const authToken = signer.getAuthToken({
hostname: 'mydbinstance.123456789012.us-west-2.rds.amazonaws.com',
port: 3306,
username: 'mydbuser'
});
console.log(`Generated Auth Token: ${authToken}`);
The 'mysql' package is a popular Node.js client for MySQL databases. Unlike @aws-sdk/rds-signer, it does not provide functionality for generating authentication tokens for Amazon RDS. Instead, it focuses on providing a comprehensive API for interacting with MySQL databases.
The 'pg' package is a PostgreSQL client for Node.js. Similar to the 'mysql' package, it does not offer token generation for Amazon RDS. It provides a robust API for interacting with PostgreSQL databases, including connection pooling and query execution.
Sequelize is a promise-based Node.js ORM for various SQL databases, including MySQL, PostgreSQL, and SQLite. While it offers a higher-level abstraction for database interactions, it does not provide specific functionality for generating authentication tokens for Amazon RDS.
This package provides utilities for interacting with RDS.
npm install @aws-sdk/rds-signer
ES6 import
import { Signer } from "@aws-sdk/rds-signer";
Or CommonJS import
const { Signer } = require("@aws-sdk/rds-signer");
const signer = new Signer({
/**
* Required. The hostname of the database to connect to.
*/
hostname: "db.us-east-1.rds.amazonaws.com",
/**
* Required. The port number the database is listening on.
*/
port: 8000,
/**
* Required. The username to login as.
*/
username: "user1",
/**
* Optional. The AWS credentials to sign requests with. Uses the default credential provider chain in not specified.
*/
credentials: fromNodeCredentialProvider(),
/**
* Optional. The region the database is located in. Uses the region inferred from the runtime if omitted.
*/
region: "us-east-1",
/**
* Optional. The SHA256 hasher constructor to sign the request.
*/
sha256: HashCtor,
});
const token = await signer.getAuthToken();
// Use this token as the password for connecting to your RDS instance
For more details and examples, refer to the following resources. Usage is similar across DB engines.
FAQs
RDS utility for generating a password that can be used for IAM authentication to an RDS DB.
We found that @aws-sdk/rds-signer demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.