Why can't my Secrets Manager rotation function connect to an Aurora PostgreSQL database using scram-sha-256?

2 minute read

My AWS Secrets Manger rotation function can't connect to an Amazon Aurora PostgreSQL database using the scram-sha-256 algorithm.

Short description

If your database is Aurora PostgreSQL version 13 or later, the rotation function might fail to connect to the database if:

  • The database uses scram-sha-256 to encrypt passwords.
  • The rotation function uses libpq-based client's version 9 or earlier.

Important: If you set up automatic secret rotation before December 30, 2021, then your rotation function bundled an older version of libpq that doesn't support scram-sha-256.


Follow these steps to check for database users for scram-sha-256 encryption and the rotation function libpq version.

Determine which database users use scram-sha-256 encryption

To check for users with scram-sha-256 encrypted passwords, see the AWS blog SCRAM authentication in Amazon Relational Database Service for PostgreSQL 13.

Determine what version of libpq your rotation function uses

1.    Open the Lambda console.

2.    In the navigation pane, choose Functions, and then select the Lambda function name that failed to rotate.

3.    Choose the Code tab.

4.    Choose Actions, choose Export function, and then choose Download deployment package.

5.    Uncompress the zip file into the work directory.

6.    Run the following Linux command in the work directory:

readelf -a libpq.so.5 | grep RUNPATH

If you see the string PostgreSQL-9.4.x, or any major version less than 10, then the rotation function doesn't support scram-sha-256.

Example output for a rotation function that doesn't support scram-sha-256:

0x000000000000001d (RUNPATH) Library runpath: [/local/p4clients/pkgbuild-a1b2c/workspace/build/PostgreSQL/PostgreSQL-9.4.x_client_only.123456.0/AL2_x86_64/DEV.STD.PTHREAD/build/private/tmp/brazil-path/build.libfarm/lib:/local/p4clients/pkgbuild-a1b2c/workspace/src/PostgreSQL/build/private/install/lib]
    * Example output for a rotation function that supports scram-sha-256:

Example output for a rotation function that supports scram-sha-256:

0x000000000000001d (RUNPATH) Library runpath: [/local/p4clients/pkgbuild-a1b2c/workspace/build/PostgreSQL/PostgreSQL-10.x_client_only.123456.0/AL2_x86_64/DEV.STD.PTHREAD/build/private/tmp/brazil-path/build.libfarm/lib:/local/p4clients/pkgbuild-a1b2c/workspace/src/PostgreSQL/build/private/install/lib]

If your database uses scram-sha-256 and the example output indicate that the rotation function doesn't support scram-sha-256, then you must recreate your rotation function.

Related information

Troubleshoot AWS Secrets Manager rotation

AWS OFFICIALUpdated 10 months ago