A system using Approzium for database connection comprises these components:
- Application - Application that accesses a database and is running on a cloud platform that provides cloud IAM services. It establishes the database connection using the Approzium SDK.
- Database - The database that the service wants to connect to.
- IAM Service - IAM service provided by the cloud platform the service is using. It handles requests such as verifying the service's identity. For example, in AWS, this is called the STS.
- Secrets Manager - Secure storage where database credentials are stored. Examples include Hashicorp Vault, AWS Secrets Manager, Google Cloud Secret Manager, Azure Key Vault, and Kubernetes Secrets.
- Approzium Authenticator - Approzium service that interfaces with the Approzium SDK and with the secrets manager. This service verifies the service's identity, retrieves the credentials from the secrets manager, and calculates the authentication challenge response.
Here is the connection sequence for such a system:
- The SDK initiates connection to the database server. The initial startup sequence varies for different databases but generally includes providing the database user used by the application as well as negotiating the authentication method.
- The database server responds with an authentication challenge. Typically, the challenge includes some randomized data that is used by the client to calculate the correct response hash.
- The SDK determines the application's identity through the IAM service. This request is only done once in the lifetime of the process. The result is the specific cloud identity assigned to the application.
- The SDK sends a request to the Approzium Authenticator service. This request includes the authentication challenge received from the database, the claimed IAM identity of the application, the proof of that identity (for AWS, this is a signed GetCallerIdentity request), and the database information (including host, port, and database user).
- The Approzium Authenticator verifies the application's identity by checking the proof provided by the application with the IAM service.
- The Approzium Authenticator obtains the cleartext password for the requested database server from the secrets manager. The password is stored in the secrets manager along with a set of IAM roles allowed to access it, and the authenticator checks that the application's IAM role exists in this set before proceeding.
- The Approzium Authenticator uses the cleartext password and the authentication challenge data to calculate the authentication response hash expected by the database and sends it to the SDK.
- The Approzium SDK simply forwards the authentication response hash to the database.
After that, your connection is successfully established! 😄