rdsauthproxy in RDS responding with Connection refused

0

Context: I'm running into this problem on PostgreSQL running on both Aurora Serverless V2 and PostgreSQL running on RDS. The PostgreSQL database running on RDS is a db.t4g.xlarge. I am using IAM auth to authenticate to PostgreSQL.

Problem: In my CloudWatch logs, I see that PostgreSQL reloads the configuration files after receiving a SIGHUP. This causes a bunch of requests to the rdsauthproxy service that is running on 127.0.0.1 at port 1108. There are about 30 lines that look like this that happen at the same exact time down to the second,

*   Trying 127.0.0.1:1108...
* Connected to rdsauthproxy (127.0.0.1) port 1108
> POST /authenticateRequest HTTP/1.1
Host: rdsauthproxy:1108
Accept: */*
Content-Length: 2070
Content-Type: multipart/form-data; boundary=------------------------xxxxxxxxxxxxxxxx
* We are completely uploaded and fine
< HTTP/1.1 200 OK
< Content-Type: text/html;charset=utf-8
< Content-Length: 0

Then I see this line in the logs randomly,

*   Trying 127.0.0.1:1108...
* connect to 127.0.0.1 port 1108 failed: Connection refused
* Failed to connect to rdsauthproxy port 1108 after 0 ms: Couldn't connect to server
* Closing connection

Afterwards I see a bunch of these lines,

LOG: pam_authenticate failed: Permission denied
FATAL: PAM authentication failed for user "database_user"
DETAIL:  Connection matched pg_hba.conf line 14: "hostssl    all             +rds_iam             all            pam"

These failures continue for a few mins and then I start seeing connections again to rdsauthproxy. I've checked my CloudWatch metrics for CPUUtilization, DatabaseConnections, FreeableMemory, DBLoad and everything seems fine to me. The CPUUtilization is at 15% and there are only a max of 10 DatabaseConnections. It seems to me that rdsauthproxy is going down for a certain period of time and is unable to accept requests and then it comes back up. I'd like to know why this is happening. This issue is not just isolated to RDS, it is also happening for my databases that are running on Aurora Serverless V2. For Aurora Serverless V2, rdsauthproxy is running on a different IP not 127.0.0.1.

Thanks for all the help.

1 Answer
0

I found this information in the AWS Document:

After you generate an authentication token, it's valid for 15 minutes before it expires. If you try to connect using an expired token, the connection request is denied.

If your application doesn't regenerate the authentication token when accessing the database, consider modifying it to do so.

profile picture
Sean
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions