CodeBuild to RDS connection issue

4
votes

I am trying to connect a Postgres RDS serverless instance from a CodeBuild project.

this is where it fails: psql --host ${PG_HOST} --dbname ${PG_DBNAME} --user ${SECRET_USER} -f /tmp/file

/tmp/file exists, so a file permission/non-existing issue is out of question

What I have tried so far, the username and password have been:

  1. Stored as environment variables in CodeBuild
  2. Stored in AWS Secrets manager
env:
  secrets-manager:
     # key: secret-id:json-key:version-stage:version-id
     SECRET_USER: rds-db-credentials:username
     SECRET_PASSWORD: rds-db-credentials:password
  1. Given as parameters in the call directly
psql --host ${PG_HOST} --dbname ${PG_DBNAME} "user=mydbuser password=0fNKJtNv" -f /tmp/file;
  1. Stored in .pgpass file
echo ${PG_HOST}:${PG_PORT}:${PG_DBNAME}:${SECRET_USER}:${SECRET_PASSWORD} > ~/.pgpass
chmod 600 ~/.pgpass

And to be sure, I exported the variable too, PGPASSFILE="~/.pgpass"

When I echo the username and password, I only get *** printed, like:

[Container] 2020/09/27 07:39:34 Running command cat ~/.pgpass
something.eu-central-1.rds.amazonaws.com:5432:spumdb:***:***

Errors:

  1. For psql --host ${PG_HOST} --dbname ${PG_DBNAME} --user ${PG_USER} -f /tmp/file, the error is
psql: warning: extra command-line argument "/tmp/file" ignored
Password for user -f: 
psql: fe_sendauth: no password supplied
  1. For psql --host ${PG_HOST} --dbname ${PG_DBNAME} --user ${SECRET_USER} -f /tmp/file, the error is
Password for user ***: 
psql: fe_sendauth: no password supplied
  1. For psql --host ${PG_HOST} --dbname ${PG_DBNAME} "user=mydbuser password=0fNKJtNv" -f /tmp/file, the error is:
Password for user user=*** password=***: 
psql: fe_sendauth: no password supplied

Just for info,

  • The RDS security group has the entry to allow all TCP connections from CodeBuild in the AWS region where the project is (35.157.127.248/29)
  • Both CodeBuild and RDS lie in the same private subnet of an user created VPC
  • I am able to connect to the RDS instance from an EC2 instance using the same RDS credentials
  • I am using the latest image for Amazon Linux 2 (aws/codebuild/amazonlinux2-x86_64-standard:3.0)

It looks like a problem at the CodeBuild end, not at the RDS end. For some reason, CodeBuild doesn't get the value of the parameters, that too only username and password, others like hostname, dbname are evaluated correctly!

Does anybody see any problem anywhere? Thank you!

1
postgresqlamazon-web-servicesamazon-rdsaws-codebuild

1 Answers

3
votes

I tried to replicate the issue, but the only thing I found that you should be using --username, not --user. Anyway, here is my buildspec.yml used for the verification:

version: 0.2

env:
  variables:
    PG_HOST: database-1.cm3c1syrcj06.us-east-1.rds.amazonaws.com
    PG_PORT: 5432
    PG_DBNAME: mydb
  secrets-manager:
      SECRET_USER: rds-db-credentials:username
      SECRET_PASSWORD: rds-db-credentials:password 
phases:
  pre_build:
    commands:
       - echo ${PG_HOST}:${PG_PORT}:${PG_DBNAME}:${SECRET_USER}:${SECRET_PASSWORD} > ~/.pgpass
       - chmod 600 ~/.pgpass
  build:
    commands:
       - cat ~/.pgpass | rev
       - echo "\dt" > /tmp/file
       - psql --host ${PG_HOST} --dbname ${PG_DBNAME} --username ${SECRET_USER} -f /tmp/file

In the above I use a little trick to show the password and username, but in reverse. Otherwise you see only ***.

Everything works as expected, and CB connects the database as evident by the No relations found (this was expected, as my db is empty):

enter image description here