Local Docker use AWS SSO to connect to RDS/Postgres

I'm trying to add my Postgres DB as a resource in self-hosted Retool in docker on my local machine.

I need to connect to my Postgres DB via aws sso. This "just works" with applications running on my machine locally (e.g. IntelliJ database integration, Postgres.app, etc.), but obviously the Retool container is its own machine running on my machine.

I've tried adding a volume to api in docker-compose.yml to map my local ~/.aws to the container (~/.aws:/root/.aws:ro)--confirmed this worked as I can see them when I exec the api container--and adding the following environment variables:
- AWS_CONFIG_FILE=/root/.aws/config
- AWS_SSO_SESSION=production_sso_session

I've confirmed that /root/.aws/config has the following:

[profile AWS-Access-ACCOUNT_NUMBER]
sso_session = production_sso_session
sso_account_id = [REDACTED]
sso_role_name = AWS-Access-Role
region = us-east-1
output = json
[sso-session production_sso_session]
sso_start_url = https://[REDACTED].awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access

I execute aws sso login --profile AWS-Access-ACCOUNT_NUMBER and authenticate, then restart/rebuild the containers.

When I add a resource in 0.0.0.0:3000/resources/new/postgresql, I've tried leaving the Role to assume field blank, using the fully-qualified ARN, using the role name, using the sso-session name, the profile name, etc. and I only get "The SSO session associated with this profile is invalid. To refresh this SSO session run aws sso login with the corresponding profile" in the console when I test the connection.

Has anyone managed to get a scenario like this working? I know if I use the admin password for the database it works, but that's not going to fly in this use case.

1 Like