我已按照以下步骤连接 RDS 代理以从 lambda 连接 RDS
https://aws.amazon.com/blogs/compute/using-amazon-rds-proxy-with-aws-lambda/
每当我在 lambda 中运行时,它都会连接,但稍后每当我们执行查询时,它都会通过显示此消息来断开连接
致命:RDS Proxy 仅支持 IAM 或 MD5 身份验证。
故障排除时
1)我已将 AmazonRDSDataFullAccess 添加到角色。
2)我也将以下内容添加到政策中
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:eu-west-1:[acct-id]:key/*",
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.eu-west-1.amazonaws.com"
}
}
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:ue-west-1:[acct-id]:dbuser:prx-ABCDEFGHIJKL01234/*"
]
}
]
}
3)在我的实际 RDS 实例中创建一个与 IAM 名称相同的新读写角色
4)唯一的问题是我无法创建 DefaultEncryptionKey 而只是获取我的 key 来选择
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname ${host} --port 5432 --region eu-west-1 --username iamuser)"
psql -h ${host} -p 5432 -d postgres -U iamuser
psql (14.4, server 13.4)
SSL connection (protocol: TLSv1.3, cipher:***, bits: 256, compression: off)
Type "help" for help.
postgres=> select current_user;
FATAL: RDS Proxy supports only IAM or MD5 authentication
SSL connection has been closed unexpectedly
The connection to the server was lost. Attempting reset: Succeeded.
psql (14.4, server 13.4)
SSL connection (protocol: TLSv1.3, cipher: ***, bits: 256, compression: off)
最佳答案
我也有同样的问题。通过在 PostgreSQL 数据库中创建新用户并使用该用户作为代理来修复。
使用默认用户:
$ export RDSHOSTNAME="mycluster.proxy-xxxxxxx"
$ export RDSREGION="eu-central-1"
$ export PGDATABASE="mydatabase"
$ export PGUSER="mydefaultuser"
$ export PGHOST="${RDSHOSTNAME}.${RDSREGION}.rds.amazonaws.com"
$ export PGSSLROOTCERT="/tmp/rds-ca.pem"
$ export PGSSLMODE="verify-full"
$ export PGPASSWORD="$(aws rds generate-db-auth-token --hostname ${PGHOST} --port 5432 --region ${RDSREGION} --username ${PGUSER})"
$ psql
psql (13.7 (Debian 13.7-0+deb11u1), server 13.4)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.
mydatabase=> select * from mytable;
FATAL: RDS Proxy supports only IAM or MD5 authentication.
SSL connection has been closed unexpectedly
The connection to the server was lost. Attempting reset: Succeeded.
psql (13.7 (Debian 13.7-0+deb11u1), server 13.4)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
为代理创建新用户:
CREATE ROLE rdsproxyuser WITH LOGIN PASSWORD '123456';
GRANT ALL PRIVILEGES ON DATABASE mydatabase to rdsproxyuser;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO rdsproxyuser;
$ export RDSHOSTNAME="mycluster.proxy-xxxxxxx"
$ export RDSREGION="eu-central-1"
$ export PGDATABASE="mydatabase"
$ export PGUSER="rdsproxyuser"
$ export PGHOST="${RDSHOSTNAME}.${RDSREGION}.rds.amazonaws.com"
$ export PGSSLROOTCERT="/tmp/rds-ca.pem"
$ export PGSSLMODE="verify-full"
$ export PGPASSWORD="$(aws rds generate-db-auth-token --hostname ${PGHOST} --port 5432 --region ${RDSREGION} --username ${PGUSER})"
$ psql
psql (13.7 (Debian 13.7-0+deb11u1), server 13.4)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.
mydatabase=> select * from mytable;
id | column1 | column2 | column3
---+---------+---------+---------
SNIP
我的主要猜测是AWS RDS不使用MD5来存储默认帐户的密码,而是使用代理不支持的scram-sha-256 。
https://www.postgresql.org/docs/13/auth-password.html
关于amazon-rds - 断开连接后,RDS 代理成功连接,显示 "RDS Proxy supports only IAM or MD5 authentication",我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/73471657/