0

Hello i have create an RDS on AWS, and created a policy with this permission based on this link

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
             "rds-db:connect"
         ],
         "Resource": [
             "arn:aws:rds-db:us-east-2:1234567890:dbuser:db-ABCDEFGHIJKL01234/db_user"
         ]
      }
   ]
}

I've have a general user that defined with a spesific password

i tried login with the user but instead of the password i tried to set auth token link in this guide

 private static Properties setMySqlConnectionProperties() {
        Properties mysqlConnectionProperties = new Properties();
        mysqlConnectionProperties.setProperty("verifyServerCertificate","true");
        mysqlConnectionProperties.setProperty("useSSL", "true");
        mysqlConnectionProperties.setProperty("user",DB_USER);
        mysqlConnectionProperties.setProperty("password",generateAuthToken());
        return mysqlConnectionProperties;
    }




public static String generateAuthToken(String region, String hostName, int port, String username) {

        RdsIamAuthTokenGenerator generator = RdsIamAuthTokenGenerator.builder()
                .credentials(new DefaultAWSCredentialsProviderChain())
                .region(region)
                .build();

        String authToken = generator.getAuthToken(
                GetIamAuthTokenRequest.builder()
                        .hostname(hostName)
                        .port(port)
                        .userName(username)
                        .build());

        return authToken;
    }

Im using in my case with postgresql and it result this error

"FATAL: password authentication failed for user \"root\"","error.stack_trace":"org.postgresql.util.PSQLException: FATAL: password authentication failed for user \"root\"

my root user should support with IAM, what can i validate in order to fix it

below you can see from AWS, that my policy is defined

enter image description here

Hard Worker
  • 995
  • 11
  • 33
  • 1
    Did you `grant rds_iam to root`? You didn't describe going that, and based on the error it looks like you didn't. – jjanes Jul 05 '22 at 15:00

1 Answers1

0

First all i had a bug - i used the db name instead DBI resource ID

This is the expected format:

arn:aws:rds-db:region:account-id:dbuser:DbiResourceId/db-user-name

and here is the code

data "aws_iam_policy_document" "policy_fooweb_job" {
  statement {
    actions = [
      "rds-db:connect"
    ]
    effect = "Allow"
    resources = [
      "arn:aws:rds-db:${var.region}:${data.aws_caller_identity.current.account_id}:dbuser:${data.aws_db_instance.database.resource_id}/someUser"
    ]
  }
}

## get the db instance
data "aws_db_instance" "database" {
  db_instance_identifier = "company-oltp1"
}
Hard Worker
  • 995
  • 11
  • 33