allow for aws auth proxy only

[JacobJohansen]

No description provided.

[mothershipper]

Hey, thanks for the PR!

Apologies if I have this wrong, but it looks like you want the server-side proxy to only accept IAM auth passwords, and to reject user supplied passwords (i.e. for non-RDS IAM auth db users)?

[JacobJohansen]

im currently bypassing the bastion box and just wanting an easy way for uses to use rds iam authentication for developers

client(users choice) -> local-listener -> direct to rds instance

we're already on the vpn at this point so adding an additional jump box doesn't gain us anything at this point in time

[mothershipper]

Ahh, gotcha. I think I understand why this setting was placed on the upstream proxy config, but I don't think that's where we want it.

The proxy block is meant to configure the local proxy (no matter if it's in client or server mode), and upstream_proxies would be connection settings for the bastions your client is aware of. I'd lean towards moving that option to either a CLI flag:

rds-auth-proxy client --direct

And/or throw it into the proxy block:

proxy:
  # The listen addr of this proxy
  listen_addr: 127.0.0.1:5433
  # If true, bypasses upstream bastion proxies, and connects directly to your RDS instances
  bypass_upstream_proxies: true
  ...

Open to alternative names for the setting, direct, bypass_upstream_proxies, etc. I'd just lean towards describing that it's a connection mode/setting, over something that impacts the auth behavior.