Steps taken: 1. Created the IAM user rds-user which has the rds-db:connect permissions for the cluster. ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds-db:connect" ], "Resource": [ "arn:aws:rds-db:eu-west-1:11111111111:dbuser:example-db/rds-test" ] } ] } ``` 2. Enabled RDS IAM Authentication on the Cluster. 3. Created the rds-test user inside postgres and granted the rds_iam role. 4. Generated an AWS authentication token ``` export RDSHOST="example-db.eu-west-1.rds.amazonaws.com" export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region us-west-1 --username rds-test)" psql "host=$RDSHOST port=5432 sslmode=verify-full sslrootcert=eu-west-1-bundle.pem dbname=postgres user=rds-test password=$PGPASSWORD" ``` Output: ``` FATAL: password authentication failed for user "rds-test" ``` The SSL certificate is not expired.

Cannot connect to RDS Postgres using the IAM Authentication

Steps taken:

Created the IAM user rds-user which has the rds-db:connect permissions for the cluster.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:eu-west-1:11111111111:dbuser:example-db/rds-test"
            ]
        }
    ]
}

Enabled RDS IAM Authentication on the Cluster.
Created the rds-test user inside postgres and granted the rds_iam role.
Generated an AWS authentication token

export RDSHOST="example-db.eu-west-1.rds.amazonaws.com"
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region us-west-1 --username rds-test)"
psql "host=$RDSHOST port=5432 sslmode=verify-full sslrootcert=eu-west-1-bundle.pem dbname=postgres user=rds-test password=$PGPASSWORD"

Output:

FATAL:  password authentication failed for user "rds-test"

The SSL certificate is not expired.

Topics

Security, Identity, & Compliance Migration & Modernization Analytics Database

Tags

AWS Identity and Access Management Amazon Relational Database Service Aurora PostgreSQL Database

Language

English

Alex

asked 25 days ago143 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Hello.

I recommend that you first review all troubleshooting methods in the documentation below.
https://repost.aws/knowledge-center/aurora-postgresql-connect-iam

By the way, is the ARN set in the IAM policy correct?
If you try changing the ARN to "*" and are able to connect, the ARN may be incorrect.

"arn:aws:rds-db:eu-west-1:11111111111:dbuser:example-db/rds-test"

EXPERT

Riku_Kobayashi

answered 25 days ago

EXPERT

Antonio_Lagrotteria

reviewed 25 days ago

Alex
25 days ago
Hi,

I also tried matching all DB clusters and database accounts using this ARN: "arn:aws:rds-db:us-east-2:1234567890:dbuser:/" and it resulted in the same issue, if that's what you meant.

https://repost.aws/knowledge-center/aurora-postgresql-connect-iam - It is mentioned here that my issue might be cause by trying to connect to the DB without SSL which is not the case in this situation. "If you get an error similar to the one in this example, then the client is trying to connect to the DB instance without SSL."

Riku_Kobayashi EXPERT

25 days ago

For example, try checking the connection using the following IAM policy.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
             "rds-db:connect"
         ],
         "Resource": [
             "arn:aws:rds-db:us-west-2:123456789012:dbuser:*/rds-test"
         ]
      }
   ]
}

By the way, the "psql" command uses SSL communication by default, so I thought it might be possible to connect without "sslmode=verify-full sslrootcert=eu-west-1-bundle.pem". In other words, I think it is possible to connect using the following connection method. https://medium.com/@tizattogabriel/how-to-authenticate-to-an-aws-rds-postgresql-db-instance-using-iam-credentials-4e69b095c01c

export RDSHOST="example-db.eu-west-1.rds.amazonaws.com"
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region us-west-1 --username rds-test)"
psql "host=$RDSHOST port=5432 dbname=postgres user=rds-test password=$PGPASSWORD"

Riku_Kobayashi EXPERT
25 days ago
Instead of using regional certificates, why not try using a certificate bundle that includes both intermediate and root certificates for all AWS Regions? https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem

Relevant content

Connecting to Postgres Amazon RDS using IAM authentication
kris
asked 2 years ago
Crawler cannot be started. Verify the permissions in the policies attached to the IAM role defined in the crawler.
bendalby82
asked a year ago
Cannot create an IAM Identity Center administrative user following the documentation
Accepted Answer
Onkel Tem
asked 9 months ago
Issue regarding the MySQL RDS IAM authentication using node.js
Karan Gupta
asked 2 years ago
How do I allow users to authenticate to an Amazon RDS for MySQL DB instance using their IAM credentials?
AWS OFFICIALUpdated a year ago
How do I troubleshoot problems while connecting to Amazon RDS for PostgreSQL or an Aurora PostgreSQL cluster using IAM authentication?
AWS OFFICIALUpdated a year ago
How can I require MFA authentication for IAM users that use the AWS CLI?
AWS OFFICIALUpdated 2 years ago
How do I connect to my Amazon RDS for PostgreSQL or Amazon Aurora PostgreSQL using IAM authentication?
AWS OFFICIALUpdated a year ago
Use IAM tags to enable fine-grained federated authentication to Redshift Serverless
EXPERT
Poulomi_DG
published a year ago
Why doesn't S3 respect the TLS settings in my IAM policy?
EXPERT
Brettski-AWS
published 2 years ago