By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

RDS Proxy connection over IAM not working

0

Hi folks! Brand new to AWS here and I've run into an error I'm not sure how to tackle. I'm getting the following error: RDS Proxy supports only IAM, MD5, or SCRAM authentication, when trying to authenticate with IAM and commit to an RDS database over a Postgres proxy from a lambda.

Here's the relevant snippet of code. It runs on AWS lambda as a container image.

import boto3
from sqlalchemy.orm import Session
from sqlalchemy import create_engine, URL

DRIVERNAME = "postgresql"
DB_CONNECTION_URL = "passed as envvar"
USER = "passed as envvar"
PORT = "passed as envvar"
DATABASE = "passed as envvar"
REGION = "passed as envvar"
CONNECT_ARGS = {"sslmode": "require"}


RDS_CLIENT = boto3.client("rds")
TOKEN = RDS_CLIENT.generate_db_auth_token(
    DB_CONNECTION_URL, PORT, USER,
    Region=REGION
)
DB_URL = URL.create(
    drivername=DRIVERNAME,
    username=USER,
    password=TOKEN,
    host=DB_CONNECTION_URL,
    database=DATABASE,
)
ENGINE = create_engine(DB_URL, connect_args=CONNECT_ARGS)

# Later in the code:
def post(args: dict) -> dict:
  with Session(ENGINE) as session:
    db_object = db_object_constructor("stuff")
    session.add(db_object)
    session.commit()

From some print statement debugging, I can see the error only occurs when attempting to session.commit(). I'm using IAM authentication here with a token being requested and used as a password, and I'm pretty confident the IAM role the lambda is using has all the right permissions (read/write from AWS secrets manager where the DB proxy credentials are stored, full access to RDS, RDS IAM auth, and other lambda permissions like EC2 and whatnot), they're within the same VPC, and part of the same subnets and security groups. The user I'm trying to connect as also has the rds_iam permission as specified in the docs.

Attempting to connect to the database through the CLI of an EC2 instance in the same VPC using the same method works just fine.

Can somebody point out what I might be missing? Thanks in advance!

Topics
ServerlessComputeSecurity, Identity, & ComplianceMigration & ModernizationAnalyticsDatabase
Tags
AWS LambdaAWS Identity and Access ManagementAmazon Relational Database ServiceAmazon RDS Proxy
Language
English
shant
asked 5 months ago720 views
1 Answer
0

The error message you are encountering indicates that there is still an issue with the authentication method being used when your AWS Lambda function is trying to commit to the RDS database through the Postgres proxy using IAM authentication.

Here are a few things you could check and try to resolve this issue:

  1. IAM Policy and Permissions:

    • Double-check that the IAM role associated with the AWS Lambda function has the necessary permissions to authenticate using IAM to the RDS database.
    • Ensure that the rds-db:connect permission is attached to the IAM role or user.

  2. IAM Database Authentication:

    • Verify that IAM database authentication is enabled for the RDS instance. You can check this in the RDS console or by using the AWS CLI.
    • Ensure that the database user USER is created with IAM authentication. The user should be created with rds_iam role in PostgreSQL.

  3. Generate Auth Token:

    • The generate_db_auth_token method should be used correctly. Make sure that the Region parameter is named correctly; it should be region in lowercase, not Region in uppercase.

  4. SSL Mode:

    • Verify that the SSL mode require is supported by your RDS configuration and that all necessary SSL certificates are in place if required by the RDS instance.

  5. Database User and Host:

    • Ensure that the database user exists and has the proper permissions set up in the database.
    • Make sure that the host parameter DB_CONNECTION_URL is the endpoint of the RDS Proxy, not the direct RDS instance if you are connecting through the proxy.

  6. Network Configuration:

    • Since you mentioned that it works from an EC2 instance within the same VPC, ensure that the Lambda function's networking configuration is correct. Lambda needs to be set up with the appropriate VPC, subnets, and security groups to communicate with the RDS Proxy.

  7. Lambda Execution Role:

    • The execution role that Lambda uses to run your code must also have permission to access other AWS services that your code calls.

  8. Debugging:

    • You might want to add more detailed logging to your Lambda function to capture the exact point of failure. AWS X-Ray can also be helpful for tracing and debugging what happens before and during the database call.

  9. SQLAlchemy Version:

    • Ensure that the version of SQLAlchemy is compatible with the IAM authentication method you are using.

  10. RDS Proxy Settings:

    • Check that the RDS Proxy is correctly configured to handle IAM authentication. The proxy should be set up to pass through the authentication to the RDS instance.

  11. Time Synchronization:

    • Ensure that the Lambda function's environment has the correct time, as the IAM token has a short lifetime and time discrepancies can cause authentication to fail.

If after checking all the above the issue persists, you might want to enable enhanced logging for the RDS instance and the proxy to get more insights into the authentication failure.

AWS
Drew D
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content