Please clarify the "add rds-db:* to organization's SCP" statement towards the bottom of the article.
If you still receive an error similar to "PAM authentication failed for your user", check whether the AWS account is part of an AWS Organizations organization. If the account is part of an organization, then add rds-db:* to organization's SCP. For more information, see Creating, updating, and deleting service control policies.
Service Control Policies are meant to prevent actions, no? Even using the "create policy" interface gives you a "must be a Deny" message when attempting to create a policy with Allow for the rds-db service.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
We just ran into this issue while using the python SQLAlchemy library. SQLAlchemy's create_engine
method typically accepts a URL following a pattern like: postgresql+psycopg2://{USER}:{PASS}@{ENDPOINT}/{DBNAME}
. We found that the tokens returned by generate_db_auth_token
include URL-sensitive characters that need to be escaped before creating the connection:
import boto3
import sqlalchemy as sa
from urllib.parse import quote_plus
token = rds.generate_db_auth_token(HOST_NAME, PORT, USER)
token_escaped = quote_plus(token)
pg_url = f"postgresql+psycopg2://{USER}:{token_escaped}@{HOST_NAME}/{DB_NAME}?sslmode=require"
engine = sa.create_engine(pg_url)
conn = engine.connect()
We confirmed that the above code succeeds as-is, but fails if you use token
instead of token_escaped
when constructing pg_url
.
See https://docs.sqlalchemy.org/en/20/core/engines.html#escaping-special-characters-such-as-signs-in-passwords. If (unlike us, at present) you are using a current version of SQLAlchemy, you can use sqlalchemy.URL
to construct the URL instead of using the urllib.parse
module as we did.
-- Jeff
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
I am still getting FATAL: password authentication failed for user
even though I am providing a CA certificate and using the sslmode=verify-full.
If you get an error similar to the one in this example, then the client is trying to connect to the DB instance without SSL.
FATAL: no pg_hba.conf entry for host "host.ip", user "<username>", database "postgres", SSL off
FATAL: password authentication failed for user "db_user_name"
IAM database authentication requires an SSL connection, and all data transmitted to and from your DB instance is encrypted. To avoid this error, make sure that the connection is using SSL. It's a best practice to use the sslmode option as verify-full and provide the certificate in the sslrootcert option in your connection string.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 7 months ago