Unanswered Questions tagged with Amazon Relational Database Service

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

PostgreSQL Connection to RDS from external server - Connection errors but works from other sources

I have a Lambda Python function connecting via psycopg2 to a PostgreSQL db instance running RDS. The Lambda connects absolutely fine (Lambda and RDS both in EU-West-2 region) I can also connect to the PostgreSQL via PgAdmin4 from a local development system and other developers can also access from other locations/IPs via PGAdmin with no problem. I can also connect a simple psycopg2 connect and query script from my local desktop here. Therefore I know RDS is accepting and responding to externally-sourced psycopg2 connections and queries. HOWEVER, when I upload the same simple connect script to my web server (OVH - based in France if of any relevance), running equivalent Python and psycopg2 etc., the connection fails with the standard psycopg2 error response from the Python: `Error raised: connection to server at "xxxxxxxx.yyyyyyyyyy.eu-west-2.rds.amazonaws.com" (ppp.qqq.rrr.ssss), port 5432 failed: Connection refused Is the server running on that host and accepting TCP/IP connections?` I've tweaked the Security Group settings to permit anything from anywhere etc and still no joy. PostgreSQL in the RDS seems to have listening on * which seems necessary to permit connections under certain circumstances. What is the subtlety in the differing sources that means such a connection from the OVH web server won't work; I can't find anything in the docs that seems to link to this issue and there's nothing obvious mis-configured on the server-side.. Any responses gratefully received.
0
answers
0
votes
9
views
asked 20 hours ago

Invalid certificate for AWS RDS in ap-east-1

# Issue Hi. I created the AWS RDS Postgres database in ap-east-1 (Hong Kong) region and tried connecting to the database from my Java app with the following configuration: ``` jdbc:postgresql://${database-hostname}:${database-port}/${database-name}?ssl=true&sslmode=verify-full&sslrootcert=${AWS_RDS_CERT_PATH}/${AWS_RDS_CERT_NAME} ``` But I got the error: `unable to find valid certification path to requested target` # Investigation Then I tried to fetch the certificate from my newly created RDS instance with the OpenSSL version `1.1.1f` using the following command: ``` echo "" | openssl s_client -starttls postgres -connect $DB_HOSTNAME:5432 -showcerts -prexit 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > certificate.pem ``` [certificate.pem](https://www.amazon.com/clouddrive/share/iXXIxJe9fyGjpkwF7ykqq7pszqgbyCahRe4RZbjRnFT) Next, I downloaded Asia Pacific (Hong Kong) [PEM certificate](https://www.amazon.com/clouddrive/share/Yiid38jeib4WcnePsYG2mg169QGsud8HoR33KjZ34GC) from the [AWS Documentation page](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) and tried to verify the RDS certificate using the following command: ``` openssl verify -verbose -x509_strict -CAfile $AWS_RDS_CA_PEM certificate.pem ``` Where the `AWS_RDS_CA_PEM` environment variable contains a path to AWS Certificate. And got the following result: ``` CN = database-1.cmr1eqjbhlka.ap-east-1.rds.amazonaws.com, OU = RDS, O = Amazon.com, L = Seattle, ST = Washington, C = US error 20 at 0 depth lookup: unable to get local issuer certificate error certificate.pem: verification failed ``` So maybe it happens because the AWS RDS servers are compromised and someone trying to implement [MITM attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). Then I tried to get the AWS CA certificate information by issuing the following command: `openssl x509 -in $AWS_RDS_CA_PEM -noout -text`. And the result shows the strange validity: ``` ... Validity Not Before: May 25 21:30:33 2021 GMT Not After : May 25 22:30:33 2061 GMT ... ``` I checked the certificate information using AWS CLI command and got the following result: ![AWS CLI certificate result](/media/postImages/original/IMDnoyySPJQDqp0hR6QxOp4g) Could you please let me know whether AWS RDS `ap-east-1` servers are compromised or if it is just an issue on the AWS Documentation page? or it is both? **Update**: the AWS RDS instance shows that it uses `rds-ca-rsa2048-g1` for the certificate authority. I already tried [certificates from the amazonaws.cn](https://docs.amazonaws.cn/en_us/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) but nothing works for me. How to be sure that the AWS RDS connection is not compromised? I can export certificates from the AWS RDS and my programs can connect to AWS RDS but it would violate the whole idea of having certificates for TLS connection.
0
answers
0
votes
31
views
asked 20 days ago

Can RDS Proxy support RLS patterns, with many sets of DB credentials dynamically added? Are there alternatives to this pattern for multi-tenant setups / SaaS architectures?

_tl;dr;_ I want to create a separate DB user account for each tenant in a SaaS, to support multi-tenant setup for PostgreSQL db using Row Level Security (RLS). It seems this isn't possible or practical with RDS Proxy because the SDK doesn't allow for easy management of secrets / credentials associated with RDS Proxy. What am I missing? How can I achieve a multi-tenant RLS setup with RDS Proxy and PostgreSQL RLS? I'm trying to create a SaaS with a multi-tenant DB setup. RDS Aurora Postgres. **Each tenant in the database === a DB account** (see: https://aws.amazon.com/blogs/database/multi-tenant-data-isolation-with-postgresql-row-level-security/). This was going fairly well when I was in the PoC stage, because I ignorantly put off storing DB secrets in secret manager and just had a few sample accounts setup to test things out. That said, I've recently realized that with RDS Proxy you need to actually add each database credential to the proxy in order to be able to use that credential through the proxy... and that's not something that happens instantly, it can take an unknown amount of time for RDS Proxy to be updated, and frankly I'm not sure how well this would scale adding potentially hundreds or even thousands of credentials to RDS Proxy. I had hoped / thought _maybe_ that using the "IAM Authentication" would solve the issue, but although it doesn't seem super well documented / clear (at least not through the AWS console), I _think_ IAM Authentication doesn't do anything for us unless we're using SQL server: > IAM Authentication. Choose whether to require, allow, or disallow IAM authentication for connections to your proxy. **The allow option is only valid for proxies for RDS for SQL Server**. The choice of IAM authentication or native database authentication applies to all DB users that access this proxy. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-setup.html If I'm misunderstanding something here I'd love to know, and would really appreciate any advice. I feel like I'm fighting a loosing battle with my current approach and would love to know if there is something I'm missing that would salvage things! If not, then I'm left either 1. Figure out how to programmatically add secrets / users to the DB Proxy - I think https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-rds/interfaces/modifydbproxyrequest.html#auth is perhaps _a_ mechanism I could use, but again it doesn't feel like it was really built for this - each time a user registered, it looks like I'd have to basically update the entire proxy, I can't "just" add a single user. 2. Switch away from the "each user in the SaaS has a separate DB user" approach to something else, essentially putting the onus of security back on the application layer (which was my entire goal of using RLS originally). 3. ?? Note that [the AWS documentation on RDS Proxy and adding database users](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-managing.html#rds-proxy-new-db-user) of course says that you can certain add DB users, this I know, **the issue is adding users at scale, dynamically, via the SDK** - it just doesn't feel like RDS Proxy is designed for this (for understandable reasons I might add, I realize there is probably a fair amount of complexity hidden in RDS Proxy).
0
answers
0
votes
15
views
asked a month ago