Why can't my Secrets Manager rotation function connect to an Aurora PostgreSQL database using scram-sha-256?

2 minute read

My AWS Secrets Manger rotation function can't connect to an Amazon Aurora PostgreSQL database using the scram-sha-256 algorithm.

Short description

If your database is Aurora PostgreSQL version 13 or later, the rotation function might fail to connect to the database if:

The database uses scram-sha-256 to encrypt passwords.
The rotation function uses libpq-based client's version 9 or earlier.

Important: If you set up automatic secret rotation before December 30, 2021, then your rotation function bundled an older version of libpq that doesn't support scram-sha-256.

Resolution

Follow these steps to check for database users for scram-sha-256 encryption and the rotation function libpq version.

Determine which database users use scram-sha-256 encryption

To check for users with scram-sha-256 encrypted passwords, see the AWS blog SCRAM authentication in Amazon Relational Database Service for PostgreSQL 13.

Determine what version of libpq your rotation function uses

1. Open the Lambda console.

2. In the navigation pane, choose Functions, and then select the Lambda function name that failed to rotate.

3. Choose the Code tab.

4. Choose Actions, choose Export function, and then choose Download deployment package.

5. Uncompress the zip file into the work directory.

6. Run the following Linux command in the work directory:

readelf -a libpq.so.5 | grep RUNPATH

If you see the string PostgreSQL-9.4.x, or any major version less than 10, then the rotation function doesn't support scram-sha-256.

Example output for a rotation function that doesn't support scram-sha-256:

0x000000000000001d (RUNPATH) Library runpath: [/local/p4clients/pkgbuild-a1b2c/workspace/build/PostgreSQL/PostgreSQL-9.4.x_client_only.123456.0/AL2_x86_64/DEV.STD.PTHREAD/build/private/tmp/brazil-path/build.libfarm/lib:/local/p4clients/pkgbuild-a1b2c/workspace/src/PostgreSQL/build/private/install/lib]
    * Example output for a rotation function that supports scram-sha-256:

Example output for a rotation function that supports scram-sha-256:

0x000000000000001d (RUNPATH) Library runpath: [/local/p4clients/pkgbuild-a1b2c/workspace/build/PostgreSQL/PostgreSQL-10.x_client_only.123456.0/AL2_x86_64/DEV.STD.PTHREAD/build/private/tmp/brazil-path/build.libfarm/lib:/local/p4clients/pkgbuild-a1b2c/workspace/src/PostgreSQL/build/private/install/lib]

If your database uses scram-sha-256 and the example output indicate that the rotation function doesn't support scram-sha-256, then you must recreate your rotation function.

Related information

Troubleshoot AWS Secrets Manager rotation

Topics

Security, Identity, & Compliance

Relevant content

How to Connect to Aurora PostgreSQL Database Using IAM Authentication and Node.js
Alpesh Dhori eGain
asked a year ago
Connecting Managed Grafana to Aurora PostgreSQL RDS database on a private subnet
Luis Brito
asked 2 years ago
Move RDS postgresql database to Aurora Serverless
Accepted Answer
Courtney Walker
asked 5 years ago
Issue with Amazon Aurora PostgreSQL Database Upgrade using pg_upgrade v13 to v14 or 15v
Theo Modesto
asked 3 months ago
how to Rotate secrets for aurora instance ,ysql/postgresql
AWS-User-9394462
asked 5 months ago
Why did my Secrets Manager Lambda rotation function fail with a “Database engine must be set to 'postgres'/'mysql'” error?
AWS OFFICIALUpdated 10 months ago
How can I perform a major version upgrade in my Aurora PostgreSQL-Compatible global database?
AWS OFFICIALUpdated a year ago
How can I create an Aurora PostgreSQL-Compatible global database?
AWS OFFICIALUpdated a year ago
How do I connect to my Amazon RDS for PostgreSQL or Amazon Aurora PostgreSQL using IAM authentication?
AWS OFFICIALUpdated a year ago
[Action Required] Upgrade Amazon Aurora PostgreSQL 11.13, 11.14, 11.15, 12.8, 12.10, 13.4, 13.5, and 13.6 minor versions by September 15, 2023
EXPERT
AWS-AdamLevin
published a year ago