I'm trying to give IAM User access to AWS RDS PostgreSQL with IAM credentials and got error PAM authentication failed for user if DbiResourceId specified in IAM Policy.
1. I created the IAM policy as described in the documentation.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:us-west-2:<My_account_id>:dbuser:<My_DbiResourceId>/readwrite_user"
]
}
]
}
2. Created db user:
CREATE USER readwrite_user WITH LOGIN;
GRANT rds_iam TO readwrite_user;
GRANT CONNECT ON DATABASE database_iam_test TO readwrite_user;
3. Try to connect
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region $REGION --username $DBUSERNAME)"
psql -h $RDSHOST -p 5432 "dbname=database_iam_test user=$DBUSERNAME sslrootcert=./rds-combined-ca-bundle.pem sslmode=verify-ca"
I've got error in this case:
psql: error: could not connect to server: FATAL: PAM authentication failed for user "readwrite_user"
But if I use * instead of DbiResourceId — it's working! So, this policy is working:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:us-west-2:<My_account_id>:dbuser:*/readwrite_user"
]
}
]
}
I have only one DB resource, and I'm sure I use the correct DbiResourceId, which in my settings and returned by command:
aws rds describe-db-instances --query "DBInstances[*].[DBInstanceIdentifier,DbiResourceId]" --region $REGION
Can anybody explain why specifying DbiResourceId cause to error in this case?
