我在Postgresql上启用了IAM Auth,我的用户myAWSusername
具有RDSFullAccess
export RDSHOST="MYRDSHOSTNAME.us-east-2.rds.amazonaws.com"
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region us-east-2 --username myAWSusername(not db_userx) )"
psql "host=$RDSHOST port=5432 sslmode=verify-full sslrootcert=./rds-combined-ca-bundle.pem dbname=busscanner user=db_userx"
我得到:
psql: FATAL: PAM authentication failed for user "db_userx"
这就是如何创建我的db_userx
CREATE USER db_userx WITH LOGIN;
GRANT rds_iam TO db_userx;
du
的输出
Role name | Attributes | Member of
-------------------+------------------------------------------------------------+------------------------------------------------
db_userx | | {rds_iam}
postgres_ro | | {postgres_ro_group}
postgres_ro_group | Cannot login | {}
rds_iam | Cannot login | {}
rds_replication | Cannot login | {}
rds_superuser | Cannot login | {pg_monitor,pg_signal_backend,rds_replication}
rdsadmin | Superuser, Create role, Create DB, Replication, Bypass RLS+| {}
| Password valid until infinity |
rdsrepladmin | No inheritance, Cannot login, Replication | {}
read_only_user | Password valid until infinity | {}
是不能正确登录rds_iam
吗?
这是我附加给我的用户的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:us-east-2:MYAWSROOTACCOUNTID:dbuser:*/db_userx"
]
}
]
}
您必须使用IAM策略中的db_userx
生成generate-db-auth-token
db-auth-token
将是您的PGPASSWORD
export RDSHOST="MYRDSHOSTNAME.us-east-2.rds.amazonaws.com"
export PG_USER="db_userx"
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region us-west-2 --username $PG_USER )"
然后:
psql "host=$RDSHOST port=5432 sslmode=verify-full sslrootcert=./rds-combined-ca-bundle.pem dbname=db_roles_test user=$PG_USER"
这对db_userx
来说是正确的
CREATE USER db_userx WITH LOGIN;
GRANT rds_iam TO db_userx;
的输出
List of roles
Role name | Attributes | Member of
----------------------+------------------------------------------------+--------------------------------------------------------------
db_userx | | {rds_iam}
pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables}
pg_read_all_settings | Cannot login | {}
pg_read_all_stats | Cannot login | {}
pg_signal_backend | Cannot login | {}
pg_stat_scan_tables | Cannot login | {}
rds_iam | Cannot login | {}
rds_password | Cannot login | {}
rds_replication | Cannot login | {}
rds_superuser | Cannot login | {pg_monitor,pg_signal_backend,rds_replication,rds_password}
rdsadmin | Superuser, Create role, Create DB, Replication+| {}
| Password valid until infinity |
rdsrepladmin | No inheritance, Cannot login, Replication | {}
root | Create role, Create DB +| {rds_superuser}
这样你就可以通过创建尽可能多的用户
CREATE USER <you_user_name> WITH LOGIN;
小心Authentication tokens have a lifespan of 15 minutes
因此,在所有这些之后,任何具有您的策略的AWS Resource
都将可以访问RDS Db。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:us-east-2:MYAWSROOTACCOUNTID:dbuser:*/db_userx"
]
}
]
}
对于那些仍在与";用户"xxxx"的PAM认证失败;,请检查您的AWS帐户是否是AWS组织的一部分。
如果该帐户是组织的一部分,请将rds db:*添加到该帐户所属组织单元的服务控制策略中。
此外,请检查IAM用户或角色的层次结构是否不具有rds db权限。
有关更多信息,请查看这些高级支持AWS文档:https://aws.amazon.com/premiumsupport/knowledge-center/rds-postgresql-connect-using-iam/#:~:text=如果%20您%20仍然%20收到%20 an,则%20帐户%20属于%20。
获取";PAM认证失败";错误是如果您尝试从EC2连接,但尚未附加允许"连接"的策略;rds数据库:连接";到EC2 IAM角色。请注意,您可以在不附加角色的情况下从aws rds generate-db-auth-token
生成令牌;只有在尝试对DB进行身份验证时才需要该角色。
此外,aws rds generate-db-auth-token
的--username
参数应为DB用户(DB_userx(,而不是IAM用户(myAWSusername(。
您需要将rds-db:connect
附加到IAM角色。然后将角色附加到EC2实例Lambda。
如果您仍在挣扎,而上述解决方案都不适用,那么:-如果您创建了一个具有登录密码的用户,并在知情/不知情的情况下授予该用户"rds_iam"角色,即
create user test_user with login password 'pass2122';
grant rds_iam to test_user;
那么这是错误的,因为rds_iam角色需要提供给那些将通过iam身份验证而不是密码身份验证登录的用户。因此,撤销rds_iam,您就可以登录了。
Revoke rds_iam from test_user;