Era*_*lpB 6 postgresql amazon-rds amazon-iam
我在Postgresql上启用了IAM Auth,并且我的用户myAWSusername具有RDSFullAccess
export RDSHOST="MYRDSHOSTNAME.us-east-2.rds.amazonaws.com"
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region us-east-2 --username myAWSusername(not db_userx) )"
psql "host=$RDSHOST port=5432 sslmode=verify-full sslrootcert=./rds-combined-ca-bundle.pem dbname=busscanner user=db_userx"
我得到:
psql: FATAL: PAM authentication failed for user "db_userx"
这是如何创建我的db_userx
CREATE USER db_userx WITH LOGIN;
GRANT rds_iam TO db_userx;
输出 \du
Role name | Attributes | Member of
-------------------+------------------------------------------------------------+------------------------------------------------
db_userx | | {rds_iam}
postgres_ro | | {postgres_ro_group}
postgres_ro_group | Cannot login | {}
rds_iam | Cannot login | {}
rds_replication | Cannot login | {}
rds_superuser | Cannot login | {pg_monitor,pg_signal_backend,rds_replication}
rdsadmin | Superuser, Create role, Create DB, Replication, Bypass RLS+| {}
| Password valid until infinity |
rdsrepladmin | No inheritance, Cannot login, Replication | {}
read_only_user | Password valid until infinity | {}
无法正确登录rds_iam吗?
这是我附加给用户的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:us-east-2:MYAWSROOTACCOUNTID:dbuser:*/db_userx"
]
}
]
}
您必须generate-db-auth-token使用db_userxfrom IAM 策略生成
db-auth-token 将是你的 PGPASSWORD
export RDSHOST="MYRDSHOSTNAME.us-east-2.rds.amazonaws.com"
export PG_USER="db_userx"
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region us-west-2 --username $PG_USER )"
然后:
psql "host=$RDSHOST port=5432 sslmode=verify-full sslrootcert=./rds-combined-ca-bundle.pem dbname=db_roles_test user=$PG_USER"
这是正确的 db_userx
CREATE USER db_userx WITH LOGIN;
GRANT rds_iam TO db_userx;
\du 的输出
List of roles
Role name | Attributes | Member of
----------------------+------------------------------------------------+--------------------------------------------------------------
db_userx | | {rds_iam}
pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables}
pg_read_all_settings | Cannot login | {}
pg_read_all_stats | Cannot login | {}
pg_signal_backend | Cannot login | {}
pg_stat_scan_tables | Cannot login | {}
rds_iam | Cannot login | {}
rds_password | Cannot login | {}
rds_replication | Cannot login | {}
rds_superuser | Cannot login | {pg_monitor,pg_signal_backend,rds_replication,rds_password}
rdsadmin | Superuser, Create role, Create DB, Replication+| {}
| Password valid until infinity |
rdsrepladmin | No inheritance, Cannot login, Replication | {}
root | Create role, Create DB +| {rds_superuser}
因此您可以通过以下方式创建尽可能多的用户
CREATE USER <you_user_name> WITH LOGIN;
当心 Authentication tokens have a lifespan of 15 minutes
因此,在所有这些之后,任何AWS Resource符合您策略的人都可以访问 RDS Db。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:us-east-2:MYAWSROOTACCOUNTID:dbuser:*/db_userx"
]
}
]
}
小智 7
对于仍然遇到“用户‘xxxx’的 PAM 身份验证失败”问题的用户,请检查您的 AWS 账户是否属于 AWS Organizations 组织。
如果该账户属于某个组织,请将rds-db: * 添加到该账户所属组织单元的服务控制策略中。
另外,请检查是否存在不具有rds-db权限的 IAM 用户或角色的层次结构。
有关更多信息,请查看这些高级支持 AWS 文档:https://aws.amazon.com/premiumsupport/knowledge-center/rds-postgresql-connect-using-iam/# :~:text=If%20you%20still% 20收到%20an,%20%20帐户%20属于%20。
| 归档时间: |
|
| 查看次数: |
1399 次 |
| 最近记录: |