Steps taken: 1. Created the IAM user rds-user which has the rds-db:connect permissions for the cluster. ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds-db:connect" ], "Resource": [ "arn:aws:rds-db:eu-west-1:11111111111:dbuser:example-db/rds-test" ] } ] } ``` 2. Enabled RDS IAM Authentication on the Cluster. 3. Created the rds-test user inside postgres and granted the rds_iam role. 4. Generated an AWS authentication token ``` export RDSHOST="example-db.eu-west-1.rds.amazonaws.com" export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region us-west-1 --username rds-test)" psql "host=$RDSHOST port=5432 sslmode=verify-full sslrootcert=eu-west-1-bundle.pem dbname=postgres user=rds-test password=$PGPASSWORD" ``` Output: ``` FATAL: password authentication failed for user "rds-test" ``` The SSL certificate is not expired.

Cannot connect to RDS Postgres using the IAM Authentication

Steps taken:

Created the IAM user rds-user which has the rds-db:connect permissions for the cluster.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:eu-west-1:11111111111:dbuser:example-db/rds-test"
            ]
        }
    ]
}

Enabled RDS IAM Authentication on the Cluster.
Created the rds-test user inside postgres and granted the rds_iam role.
Generated an AWS authentication token

export RDSHOST="example-db.eu-west-1.rds.amazonaws.com"
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region us-west-1 --username rds-test)"
psql "host=$RDSHOST port=5432 sslmode=verify-full sslrootcert=eu-west-1-bundle.pem dbname=postgres user=rds-test password=$PGPASSWORD"

Output:

FATAL:  password authentication failed for user "rds-test"

The SSL certificate is not expired.

주제

보안, 신원 및 규정 준수 마이그레이션 및 현대화 분석 데이터베이스

태그

AWS 자격 증명 및 액세스 관리 아마존 Relational Database Service 오로라 PostgreSQL 데이터베이스

언어

English

Alex

질문됨 2달 전183회 조회

1개 답변

최신
최다 투표
가장 많은 댓글

이 답변이 도움이 되었나요?커뮤니티가 여러분의 지식을 활용할 수 있도록 정답을 찬성하세요.

Hello.

I recommend that you first review all troubleshooting methods in the documentation below.
https://repost.aws/knowledge-center/aurora-postgresql-connect-iam

By the way, is the ARN set in the IAM policy correct?
If you try changing the ARN to "*" and are able to connect, the ARN may be incorrect.

"arn:aws:rds-db:eu-west-1:11111111111:dbuser:example-db/rds-test"

전문가

Riku_Kobayashi

답변함 2달 전

전문가

Antonio_Lagrotteria

검토됨 2달 전

Alex
2달 전
Hi,

I also tried matching all DB clusters and database accounts using this ARN: "arn:aws:rds-db:us-east-2:1234567890:dbuser:/" and it resulted in the same issue, if that's what you meant.

https://repost.aws/knowledge-center/aurora-postgresql-connect-iam - It is mentioned here that my issue might be cause by trying to connect to the DB without SSL which is not the case in this situation. "If you get an error similar to the one in this example, then the client is trying to connect to the DB instance without SSL."

Riku_Kobayashi 전문가

2달 전

For example, try checking the connection using the following IAM policy.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
             "rds-db:connect"
         ],
         "Resource": [
             "arn:aws:rds-db:us-west-2:123456789012:dbuser:*/rds-test"
         ]
      }
   ]
}

By the way, the "psql" command uses SSL communication by default, so I thought it might be possible to connect without "sslmode=verify-full sslrootcert=eu-west-1-bundle.pem". In other words, I think it is possible to connect using the following connection method. https://medium.com/@tizattogabriel/how-to-authenticate-to-an-aws-rds-postgresql-db-instance-using-iam-credentials-4e69b095c01c

export RDSHOST="example-db.eu-west-1.rds.amazonaws.com"
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region us-west-1 --username rds-test)"
psql "host=$RDSHOST port=5432 dbname=postgres user=rds-test password=$PGPASSWORD"

Riku_Kobayashi 전문가
2달 전
Instead of using regional certificates, why not try using a certificate bundle that includes both intermediate and root certificates for all AWS Regions? https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem

Cannot connect to RDS Postgres using the IAM Authentication

관련 콘텐츠