无法使用IAM身份验证连接到数据库。

huangapple go评论59阅读模式
英文:

AWS RDS & Datagrip - can't connect to DB with IAM auth "case sensitivity plain=mixed"

问题

我有一个现有的AWS上的RDS数据库,我想使用IAM身份验证通过Datagrip连接到它。我已经严格按照说明进行了操作。我已经在数据库上启用了IAM身份验证,安装了AWS Toolkit插件并设置了身份验证密钥。它可以连接到服务器,可以显示S3并轮询SQS等,所以这不是与AWS通信的问题,但当我尝试连接到RDS数据库时,它给我一个奇怪的错误:

无法使用IAM身份验证连接到数据库。

我已经在网上搜索了一下,但找不到太多信息。我的设置基本上看起来像这样(显然使用了虚假数据):

无法使用IAM身份验证连接到数据库。

我不明白为什么会出现这个问题。唯一我真正不理解的部分是“用户”,文档是这样引用的:

无法使用IAM身份验证连接到数据库。

但这是指什么?那不是主用户名(我尝试过,但也没有意义)。它不是指我的用户名或访问密钥。当我通过插件添加数据库时,该行会自动填充,但就我所知,它看起来像一组随机的字符和数字。

请注意,该数据库是可以公开访问的,但不应该(就我所理解的来说,只有当您通过用户名和密码进行“正常”身份验证访问数据库时才需要这样做),而且文档中也没有指示这是一个要求(否则我会得到不同的错误)。

我在这里漏掉了什么?我做错了什么?

英文:

I have an existing RDS database on AWS that I want to connect to through Datagrip using IAM authentication. I've followed the instructions to a tee. I've enabled IAM auth on the DB, I installed the AWS Toolkit plugin and setup the auth keys. It connects to the server and can show me S3 and poll SQS etc so it's not an issue with communicating with AWS, but when I try to connect to an RDS DB it gives me this strange error:

无法使用IAM身份验证连接到数据库。

I've googled around and couldn't find too much information. My setup looks basically like this (with obviously fake data):

无法使用IAM身份验证连接到数据库。

I don't understand why the issue is happening. The only part there I don't really understand is the "user", which the docs refer to thusly:

无法使用IAM身份验证连接到数据库。

But what is that even referring to? That's not the master username (I tried that, but also that doesn't make sense anyway). It's not referring to my username or access key. The line gets filled automatically when I add the DB through the plugin but I don't know what it is at all, as far as I can tell it looks like a random assortment of characters and numbers.

Note the DB is not publicly accessible, but it shouldn't be (as far as I understand, that's only required when you access the DB through a "normal" authentication with a username and password) and nothing indicates that that's a requirement in the docs anyway (also I would get a different error there).

What am I missing here? What am I doing wrong?

答案1

得分: 2

IAM身份验证仍然需要一个连接到它的数据库用户,这是它所指的。仍然需要创建一个用户,就像这里所描述的一样。来自该页面:

要在PostgreSQL中使用IAM身份验证,请连接到DB实例,作为主用户或可以创建用户和授予权限的不同用户。连接后,创建数据库用户,然后按照以下示例授予它们rds_iam角色。

确保指定的数据库用户名与IAM数据库访问策略中的资源相同。

还要验证IAM是否允许访问,就像这里所描述的那样。如果数据库实际拒绝您的凭据,您还可以检查Postgres日志,您将看到拒绝授权的消息。CloudWatch日志需要明确启用,并且不是默认启用的。

附录:我还发现这个指南,展示了如何以主用户身份连接(第3步)。

我想了解的是关于数据库是公共可访问的部分,而您是通过互联网连接到它,还是您有一些特定的网络设置(VPN/DX?)连接到RDS正在运行的VPC?否则,您仍然需要访问它的网络,可以使用堡垒主机和SSM(例如)来实现。

英文:

IAM authentication still needs a database user that it connects to, this is what it's referring.
There still needs to be a user created like described here. From the page:

> To use IAM authentication with PostgreSQL, connect to the DB instance
> as the master user or a different user who can create users and grant
> privileges. After connecting, create database users and then grant
> them the rds_iam role as shown in the following example.

> Make sure the
> specified database user name is the same as a resource in the IAM
> policy for IAM database access.

Also validate that IAM allows access like described here. You can also check CloudWatch for Postgres logs if the database actually rejects your credentials. You will see auth denied messages. CloudWatch Logs need to be enabled specifically and are not on by default.

Appendix: I also found this guide where it shows how to connect as a master user (step 3)


I'm wondering about the part that the DB is not publicly accessible, whereas you are connecting to it via the internet or do you have some specific network setup (VPN/DX?) to the VPC the RDS is running in? Otherwise you still need network access to it, which can be done with bastion hosts and SSM (for example).

huangapple
  • 本文由 发表于 2023年2月26日 20:58:50
  • 转载请务必保留本文链接:https://go.coder-hub.com/75572152.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定