1

I have an existing RDS database on AWS that I want to connect to through Datagrip using IAM authentication. I've followed the instructions to a tee. I've enabled IAM auth on the DB, I installed the AWS Toolkit plugin and setup the auth keys. It connects to the server and can show me S3 and poll SQS etc so it's not an issue with communicating with AWS, but when I try to connect to an RDS DB it gives me this strange error:

enter image description here

I've googled around and couldn't find too much information. My setup looks basically like this (with obviously fake data):

enter image description here

I don't understand why the issue is happening. The only part there I don't really understand is the "user", which the docs refer to thusly:

> The name of your database user account

But what is that even referring to? That's not the master username (I tried that, but also that doesn't make sense anyway). It's not referring to my username or access key. The line gets filled automatically when I add the DB through the plugin but I don't know what it is at all, as far as I can tell it looks like a random assortment of characters and numbers.

Note the DB is not publicly accessible, but it shouldn't be (as far as I understand, that's only required when you access the DB through a "normal" authentication with a username and password) and nothing indicates that that's a requirement in the docs anyway (also I would get a different error there).

What am I missing here? What am I doing wrong?

yuvi
  • 18,155
  • 8
  • 56
  • 93
  • really, no one? – yuvi Mar 06 '23 at 15:52
  • I tried following the instruction guide you linked and it worked for me. Only other thing I did was made my RDS instance publicly accessible and added my new IAM user by running script `CREATE USER test_user IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';` via RDS master account. I could then login successfully with my IAM test_user account. – Gawo He Mar 08 '23 at 11:03

1 Answers1

2

IAM authentication still needs a database user that it connects to, this is what it's referring. There still needs to be a user created like described here. From the page:

To use IAM authentication with PostgreSQL, connect to the DB instance as the master user or a different user who can create users and grant privileges. After connecting, create database users and then grant them the rds_iam role as shown in the following example.

Make sure the specified database user name is the same as a resource in the IAM policy for IAM database access.

Also validate that IAM allows access like described here. You can also check CloudWatch for Postgres logs if the database actually rejects your credentials. You will see auth denied messages. CloudWatch Logs need to be enabled specifically and are not on by default.

Appendix: I also found this guide where it shows how to connect as a master user (step 3)

I'm wondering about the part that the DB is not publicly accessible, whereas you are connecting to it via the internet or do you have some specific network setup (VPN/DX?) to the VPC the RDS is running in? Otherwise you still need network access to it, which can be done with bastion hosts and SSM (for example).

Augunrik
  • 1,866
  • 1
  • 21
  • 28
  • Thank you! I've been asking all over and finally someone actually provides a reasonable answer. I'll try these and see. As per your question, we have a pretty convoluted setup with an SSH connection through another EC2 instance, something we really need to replace because it's bad and hard to maintain with a growing team of developers. – yuvi Mar 07 '23 at 10:04
  • 1
    As long as TCP packets go over this and reach RDS it should be good for this question – Augunrik Mar 07 '23 at 12:21
  • IT'S STILL NOT WORKING. I don't even know anymore – yuvi Mar 07 '23 at 13:31
  • 1
    The descriptiveness is lacking… but if it doesn’t work like AWS documentation, then either you are missing something or it’s AWS Support needed. – Augunrik Mar 07 '23 at 17:34