- 最新
- 投票最多
- 评论最多
I found the answer in this post: https://repost.aws/knowledge-center/aurora-postgresql-connect-iam
It turns out that for Aurora PostgreSQL the resource id in the IAM policy needs to be the rds cluster id, not the rds instance id. In contrast, for RDS PostgreSQL the resource id needs to be the db instance resource id. And my policy was using the instance id.
I wish the generate-auth-token request would fail immediately with an IAM error – that would have helped pinpoint the problem much faster. Instead, the generate-auth-token request still succeeded, but the password that was generated wouldn't allow me to connect. And the "pg_hba.conf rejects the connection ... no encryption" error message is misleading as well.
In my environment, I was able to access it using the following IAM policy.
The configuration is based on the following document.
https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:region:account-id:dbuser:*/*"
]
}
]
}
相关内容
- AWS 官方已更新 2 年前