I deployed a aurora cluster for postgresql engine and enabled IAM authentication (Password and IAM database authentication). I created a user with below commands:
CREATE USER test WITH PASSWORD '123456';
GRANT rds_iam TO test;
I am able to login the database with aws rds generate-db-auth-token auto generated token but I can't login with the native password.
The command I am using to login is:
psql "host=dev-ams-engine-aurora-auroracluster.cluster-xxxxx.ap-southeast-2.rds.amazonaws.com dbname=Test user=test"
The error I got when login with native password is:
psql: error: could not connect to server: FATAL: PAM authentication failed for user "test"
Based on AWS doc:
Password and IAM database authentication
Manage your database user credentials through your DB engine's native password authentication
features and IAM users and roles. IAM helps an administrator securely control access to AWS
resources. IAM administrators control who can be authenticated and authorized for RDS resources.
It seems that it should support both IAM user/role and native password. Why can't I use native password to login?
Related
I have created role under postgresql using PgAdmin.
CREATE ROLE user_name LOGIN PASSWORD 'xyz';
I'm able to login to server using pgAdmin using above credentials.
But when I try to connect from MSSQL Server (Babelfish) getting an following error:
But when I query using postgres user login I get the role details in babelfish.
SELECT * FROM pg_user;
The (sparse) documentation says:
You can use CREATE LOGIN to create a new Babelfish login with access to all databases. Babelfish logins are implemented as PostgreSQL login roles of the same name.
That could be more explicit, but you have to create the login in a TDS connection, not while you are connected with the PostgreSQL protocol.
Ran this while trying to manage some permissions with Cloud SQL IAM users:
GRANT "****#*****.iam" to postgres;
Now it appears that my postgres account is an IAM user in the DB. And I can't change it back because I can't log in with my original postgres user password. This was also my only superuser account, so I can't get the proper access to change anything back. GCP dashboard also does not let me modify the password because now it's a "System User". Very strange... how do I resolve this?
Tried logging in with the IAM role that I granted to postgres, that does not work... Not sure what to do beyond file a support ticket with GCP
I'm trying to get authentication working using kerberos in Windows instead of username and password when connecting to PostgreSQL. Very new to this area and would appreciate any thoughts. In essence what I want to achieve is not having the password in the app configuration. Maybe there are other options apart from using kerberos?
Will the following work?
configure Postgres for SSPI authentication
create a user in Postgres with the same user name as the SPN of the user in the AD
pre-create kerberos authentication tickets (somehow magically) for the created user
connect to postgres using psql with the above user without providing the password
If this is at all possible I'm interested in how to achieve that magical part above ^^^
Thanks.
I have a sonarqube instance running in a Kubernetes cluster, connected to postgres rds database. I'm trying to reset the admin password after Keycloak realm change disabled OIDC authentication and now I cannot log in to the instance. Running version 8.9.7.52159 CE, I followed the docs (https://docs.sonarqube.org/8.9/instance-administration/security/) and reset the password via sql query.
I checked the admin user in the database and user has been updated, But when attempting to login via admin username and admin password I get error authentication failed.
Checking logs of pod I can see following errors after realm change:
Caused by: com.nimbusds.oauth2.sdk.GeneralException: The returned issuer doesn't match the expected: https:/keycloak-realm-url
WARN [o.s.s.a.AuthenticationError] Fail to initialize authentication with provider 'oidc'
I can't login to the instance to modify security settings/realm etc. Any ideas why the password reset for admin user isn't working and how can I resolve. Thanks
I have a user with role rds_iam so IAM DB Auth is required for the user to connect to my Aurora PostgreSQL server (server A). Which works as expected. I have added a role to Server B that has permissions to rds-db:connect to server A. Now I need to update FDW to connect to server A using the IAM-enabled user.
I don't understand what is suppose to be used for password for the following command:
CREATE USER MAPPING IF NOT EXISTS FOR <current user> SERVER <server name>
OPTIONS (USER <username>, PASSWORD <password>);"
Currently, I am getting the following error:
[08001] ERROR: could not connect to server "XXXXXX" Detail: FATAL: PAM authentication failed for user "user-xxxxx"
I suspect because passsword was actually a token that I generated when setting up the user. But tokens expire afte 15 minutes. So how do setup an IAM-user with FDW?
Unless Amazon hacks postgres_fdw to add this capability, I think you would need to write some code that does ALTER USER MAPPING every 15 minutes, or give up on using IAM for this.