Steps taken:
- Created the IAM user rds-user which has the rds-db:connect permissions for the cluster.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:eu-west-1:11111111111:dbuser:example-db/rds-test"
]
}
]
}
- Enabled RDS IAM Authentication on the Cluster.
- Created the rds-test user inside postgres and granted the rds_iam role.
- Generated an AWS authentication token
export RDSHOST="example-db.eu-west-1.rds.amazonaws.com"
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region us-west-1 --username rds-test)"
psql "host=$RDSHOST port=5432 sslmode=verify-full sslrootcert=eu-west-1-bundle.pem dbname=postgres user=rds-test password=$PGPASSWORD"
Output:
FATAL: password authentication failed for user "rds-test"
The SSL certificate is not expired.
Hi,
I also tried matching all DB clusters and database accounts using this ARN: "arn:aws:rds-db:us-east-2:1234567890:dbuser:/" and it resulted in the same issue, if that's what you meant.
https://repost.aws/knowledge-center/aurora-postgresql-connect-iam - It is mentioned here that my issue might be cause by trying to connect to the DB without SSL which is not the case in this situation. "If you get an error similar to the one in this example, then the client is trying to connect to the DB instance without SSL."
For example, try checking the connection using the following IAM policy.
By the way, the "psql" command uses SSL communication by default, so I thought it might be possible to connect without "sslmode=verify-full sslrootcert=eu-west-1-bundle.pem". In other words, I think it is possible to connect using the following connection method. https://medium.com/@tizattogabriel/how-to-authenticate-to-an-aws-rds-postgresql-db-instance-using-iam-credentials-4e69b095c01c
Instead of using regional certificates, why not try using a certificate bundle that includes both intermediate and root certificates for all AWS Regions? https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem