Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS PostgreSQL ODBC connection works in Toad, fails via ODBC System DSN and ADO (FATAL: IAM authentication failed)

0

Service/Tech: Amazon RDS for PostgreSQL + AWS ODBC Driver for PostgreSQL (ANSI x64) + Windows ODBC Data Source Administrator + ADO (VBA in 64-bit MS Office)

Summary of issue:

I can successfully connect to an AWS/RDS PostgreSQL database using Toad Data Point when pointing directly to the AWS ODBC driver (no ODBC System DSN involved). When I try to create/test a System DSN via ODBC Data Source Administrator, the connection test fails with: "Connection to server at '<fakeservername>' failed: FATAL: The IAM authentication failed for the role <fakerole>. Check the IAM token for this role and try again." Error text varies slightly depending on SSL Mode (disabled/prefer/require). I also attempted to connect via ADO (connection string modeled closely after what Toad generates), and it fails with the same IAM authentication error as the System DSN test. Authentication details:

Password is an AWS-generated IAM authentication token shown as a long password (~1400-1700 characters) with a ~15-minute validity. Token is generated by logging into AWS via browser → command prompt → running command to generate the temporary token. In the ODBC DSN configuration I have Auth Type set to “database.” Toad’s connection details do not show settings for Auth Type or SSL Mode. Environment details:

Windows machine using 64-bit components: 64-bit MS Office (VBA for ADO logic) 64-bit drivers 64-bit Toad Data Point Using AWS ODBC Driver for PostgreSQL – ANSI x64. Troubleshooting already performed:

Verified the IAM token is being captured correctly: Pulled from clipboard, displayed length and last 3 characters. Wrote token to file to confirm length. Confirmed that if I intentionally truncate the token in Toad, Toad then fails with the same IAM auth error seen in DSN/ADO (suggesting token correctness/length is relevant). Tested different SSL Modes (disabled/prefer/require) during DSN setup; error message changes slightly but still fails with IAM auth failure. Current hypothesis:

The issue may be related to the very long IAM token and a possible length/handling limitation in ADO and/or the ODBC System DSN test path, even though direct use via Toad works. Request:

Assistance identifying why IAM authentication works via Toad with direct driver usage but fails via ODBC System DSN and ADO using (seemingly) equivalent parameters.

Topics
ComputeDatabase
Tags
WindowsPostgreSQLDatabase
Language
English
asked 2 months ago72 views
1 Answer
1

I think this mostly is because of limitations to the ODBC DSA GUI itself, with the password text box silently truncating when the pasted string is too long. The best way forward in general is to move from the Database auth type to IAM so that you don't need to manually generate the token in the first place.

In the AWS ODBC Driver's DSN configuration dialog:

Server: your-endpoint.rds.amazonaws.com
Port: 5432
Database: yourdb
User Name: yourrole (the IAM-mapped database role)
Password: leave blank
Auth Type: Change from Database → IAM
SSL Mode: require
Region: us-east-1 (or your actual region)

With AuthType=IAM, the driver itself calls the AWS SDK to generate the authentication token at connect time. The token never passes through the DSA's password field, so there's no truncation. The driver uses whatever AWS credentials are available on the machine:

%USERPROFILE%\.aws\credentials file (from aws configure)
Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, optionally AWS_SESSION_TOKEN)
EC2/ECS instance profile (if running on AWS)
AWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content