- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
I found the answer in this post: https://repost.aws/knowledge-center/aurora-postgresql-connect-iam
It turns out that for Aurora PostgreSQL the resource id in the IAM policy needs to be the rds cluster id, not the rds instance id. In contrast, for RDS PostgreSQL the resource id needs to be the db instance resource id. And my policy was using the instance id.
I wish the generate-auth-token request would fail immediately with an IAM error – that would have helped pinpoint the problem much faster. Instead, the generate-auth-token request still succeeded, but the password that was generated wouldn't allow me to connect. And the "pg_hba.conf rejects the connection ... no encryption" error message is misleading as well.
In my environment, I was able to access it using the following IAM policy.
The configuration is based on the following document.
https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:region:account-id:dbuser:*/*"
]
}
]
}
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 3 Jahren
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 4 Monaten