Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

RDS PostgreSQL 17.5: IAM Auth Fails - pg_hba.conf shows `pam` instead of `iam` for `+rds_iam`

0

We're encountering an issue with IAM authentication on our RDS for PostgreSQL 17.5 instance. Connections fail with "FATAL: PAM authentication failed for user..."

Setup & Troubleshooting:

  • RDS Instance: PostgreSQL 17.5. "IAM DB authentication" is Enabled in the RDS console.
  • Database User: The target database user (e.g., my_iam_user) has been correctly granted the rds_iam role (verified via SELECT ... FROM pg_auth_members).
  • Application IAM Role (ECS Task): Has the rds-db:connect permission for the correct dbuser resource and successfully generates an IAM auth token programmatically via the AWS SDK.
  • Connection: The application uses SSL, and the token is passed as the password.

Key Finding from RDS Logs & pg_hba_file_rules:

The RDS PostgreSQL logs show the connection matches a pg_hba.conf rule that incorrectly specifies pam as the authentication method:

DETAIL: Connection matched file "/rdsdbdata/config/pg_hba.conf" line 13: "hostssl all +rds_iam all pam"

Querying SELECT * FROM pg_hba_file_rules; confirms this line (e.g., rule number 5):

type: hostssl, database: {all}, user_name: {+rds_iam}, address: all, auth_method: pam

An RDS instance reboot has been performed, but the pg_hba.conf entry remains pam and the issue persists.

Question:

  1. Why would RDS for PostgreSQL 17.5 configure pg_hba.conf to use auth_method: pam for +rds_iam users when IAM authentication is enabled?
  2. How can this pg_hba.conf entry be corrected to use auth_method: iam on a managed RDS instance so that IAM authentication can function as expected?
Topics
AnalyticsMigration & ModernizationDatabaseSecurity, Identity, & Compliance
Tags
Amazon Relational Database ServiceAWS Identity and Access ManagementPostgreSQLDatabase
Language
English
asked a year ago265 views
2 Answers
0

IAM Auth Fails – pg_hba.conf Shows pam Instead of iam for +rds_iam (PostgreSQL 17.5) This issue is legitimate and currently emerging in AWS environments running RDS PostgreSQL 17.5. Let’s walk through what’s likely happening, why pam is appearing instead of iam, and what you can do about it.

Understanding the Issue You correctly observed that:

sql Copy Edit SELECT * FROM pg_hba_file_rules; …shows:

makefile Copy Edit type: hostssl user_name: +rds_iam auth_method: pam This is unexpected. When IAM database authentication is enabled via the RDS console, the relevant pg_hba.conf rule should list iam as the auth_method, not pam. The appearance of pam here causes authentication to fail, as seen in the log:

rust Copy Edit FATAL: PAM authentication failed for user "my_iam_user" 🧪 Root Cause (Most Likely) This appears to be a bug or misconfiguration in AWS’s RDS PostgreSQL 17.5 image. While IAM auth works correctly in prior versions (e.g., 15.x, 16.x), the 17.5 image may contain an incorrect default or regression in the way it registers the +rds_iam mapping internally.

In managed RDS, users cannot directly edit pg_hba.conf, so if AWS injects a rule with pam, users have no way to override it.

What You Can (and Should) Do

  1. Open a Support Case Even if you're using basic support, open a technical support case immediately and include the output of:

sql Copy Edit SELECT * FROM pg_hba_file_rules WHERE user_name LIKE '%rds_iam%'; …and mention this behavior in PostgreSQL 17.5.

This will help AWS escalate internally if it is in fact a packaging issue or regression.

  1. Use an Earlier PostgreSQL Version (if urgent) If IAM auth is critical to your application and you're blocked, you may need to temporarily fall back to PostgreSQL 16.x where the IAM auth flow works as expected. This can be done by:

Restoring from snapshot into a 16.x instance

Migrating your schema + data into a fresh 16.x cluster

Yes, this is suboptimal — but may be necessary until AWS corrects the issue upstream.

  1. Track AWS Release Notes / Changelog Monitor this space: Amazon RDS PostgreSQL Release Notes

Look for updates that address IAM behavior in 17.x. If it's confirmed to be a regression, AWS will typically patch and release a fix within weeks.

TL;DR Observation Explanation IAM Auth Fails pg_hba.conf uses pam instead of iam IAM Enabled? Yes (console + rds_iam role confirmed) Cause? Likely bug in RDS PostgreSQL 17.5 configuration Fix? Await AWS patch OR downgrade to 16.x Workaround? None at present due to RDS's read-only pg_hba.conf

answered 10 months ago
0

Hi,

Question: Why would RDS for PostgreSQL 17.5 configure pg_hba.conf to use auth_method: pam for +rds_iam users when IAM authentication is enabled? How can this pg_hba.conf entry be corrected to use auth_method: iam on a managed RDS instance so that IAM authentication can function as expected?

This is an implementation detail of the IAM authentication feature, setting to pam is correct in this case. The Postgres database engine does not support an "iam" authentication method. What it does support is "pam" which allows providers to provide their own authentication module, in this case IAM.

See the Postgres documentation for details on how PAM auth works: https://www.postgresql.org/docs/current/auth-pam.html

We recommend you check out the following post to diagnose your IAM auth configurations: https://repost.aws/knowledge-center/aurora-postgresql-connect-iam

AWS
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content