0

I am trying to connect to an RDS Proxy with IAM authentication and getting invalid credentials error.

Error: Proxy authentication with IAM authentication failed for user "lambda_user" with TLS on. Reason: Invalid credentials. If you provide an IAM token, make sure to either use the correct password or enable IAM authentication

I added full RDS permissions to the Lambda and also attached database proxy to it.

def get_db_token():
    db_client = rds_client('rds', region_name="us-east-1")
    database_token = db_client.generate_db_auth_token(
        DBHostname='test-rds.proxy-xxxxxxxx.us-east-1.rds.amazonaws.com',
        Port=5432,
        DBUsername='lambda_user')
    return database_token

db_token = get_db_token()
f"postgresql://lambda_user:{db_token}@test-rds.proxy-xxxxxxx.us-east-1.rds.amazonaws.com:5432/TestDatabase?sslmode=require"

IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "rds-db:connect",
            "Resource": "arn:aws:rds-db:*:xxxxxxxxxx:dbuser:*/*"
        }
    ]
}

Lambda Database Proxies Config

I tried enhanced logging in RDS proxy but not clear on why IAM token is invalid.

Srini Reddy
  • 9
  • 4
  • You don't mention in your post, but did you also add the plugin/grant to `lambda_user` on the database? Docs for that step are here - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html – getglad Oct 25 '22 at 14:33
  • I am using IAM auth to RDS proxy only. Connection to the RDS Postgres still uses username/password. Do I still need to grant rds_iam to my Postgres user? – Srini Reddy Oct 25 '22 at 14:38
  • I granted rds_iam to my user already. role "lambda_user" is already a member of role "rds_iam" – Srini Reddy Oct 25 '22 at 14:46
  • did you ever figure it out? I'm running into the same issue with the same code. – Michael Du Mar 11 '23 at 09:49

2 Answers2

1

You have to enable iam authentication on your RDS database.

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Enabling.html

here is also an interresting link you can follow: https://aws.amazon.com/blogs/database/iam-role-based-authentication-to-amazon-aurora-from-serverless-applications/

Bguess
  • 1,700
  • 1
  • 11
  • 24
0

As of the suggestion from Bguess, I got it working by enabling the iam authentication on my RDS database.

The below code is working for me.


    region_name: str = environ.get('AWS_REGION')
            db_client: BaseClient = rds_client('rds', region_name=region_name)
            db_auth_token = db_client.generate_db_auth_token(
                DBHostname=db_endpoint,
                Port=5432,
                DBUsername=db_user_name,
                Region=region_name)
    
    args = {   'host'    : db_endpoint,
               'user'    :  db_user,
               'password': db_auth_token,
               'port'    : 5432,
               'dbname'  : db,
               'sslmode' : 'require' }
    
    self.engine = create_engine("postgresql://",
                                 connect_args=args,
                                 pool_size=50,
                                 echo=False)

Lambda IAM permissions:

{
      "Sid": "RdsProxyPermissions",
      "Effect": "Allow",
      "Action": ["rds-db:connect"],
      "Resource": "arn:aws:rds-db:${region}:${account}:dbuser:${db_proxy_id}/*"
}
Felix Quehl
  • 744
  • 1
  • 9
  • 24
Srini Reddy
  • 9
  • 4