AWS Neptune IAM authentication

[copumpkin]

I'm looking into using this package with AWS Neptune and its IAM Authentication feature. Based on their sample code and asking around, my understanding is that for this to work, I'd need to use sigv4 to sign the initial WebSocket connection request.

It seems like the place I'd need to hook into is

gremlin-rs/gremlin-client/src/aio/connection.rs

Line 134 in 5b60055

let (client, _) = { connect_async_with_tls_connector(url, tls::connector(&opts)).await? };

, to pass an extra authentication header to tungstenite when it opens the websocket connection.

Does that all sound reasonable? It doesn't seem like the interface is flexible enough today for me to inject that in, since I'd need a Request rather than the Url that code currently passes in. I'd be happy to make a PR to add an optional feature for this if someone can confirm I'm looking in the right places.

[u382514]

You have the right idea. It would probably be as easy as adding 'custom_headers' to the options and passing that down the chain to build out a Request rather than a simple Url. We should probably change the title of this issue to "Allow Custom Headers" since sigv4 are just added headers and make the developer do the work at creating those headers outside of this package. Also this would allow any other custom header that may be needed in the future. The logic would also need to account for the synchronous workflow.

[wolf4ood]

👋 all if you agree we can close this and follow the additional headers query params on #153

[copumpkin]

I don't think it's as simple as custom headers because the content of the header (a cryptographic signature) is a function of the (hash of the) exact request being sent to the server, which gets modified fairly deep in the websocket lib. On the other hand, I have some code working that I haven't cleaned up yet for PR (and I only added it to the async pathway), but seems to be working on my Neptune instance.

[lyndonbauto]

@copumpkin custom header injection should allow you to do this. If you inspect other tinkerpop drivers like the gremlin-python driver for example support iam auth through custom header injection.