【发布时间】:2020-06-11 22:10:13
【问题描述】:
我正在尝试使用 IAM 凭证授予 IAM 用户对 AWS RDS PostgreSQL 的访问权限,如果在 IAM 策略中指定了 DbiResourceId,则会收到错误 PAM authentication failed for user。
1. 我按照in the documentation 的描述创建了 IAM 策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:us-west-2:<My_account_id>:dbuser:<My_DbiResourceId>/readwrite_user"
]
}
]
}
2。创建数据库用户:
CREATE USER readwrite_user WITH LOGIN;
GRANT rds_iam TO readwrite_user;
GRANT CONNECT ON DATABASE database_iam_test TO readwrite_user;
3。尝试连接
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region $REGION --username $DBUSERNAME)"
psql -h $RDSHOST -p 5432 "dbname=database_iam_test user=$DBUSERNAME sslrootcert=./rds-combined-ca-bundle.pem sslmode=verify-ca"
在这种情况下我遇到了错误:
psql: error: could not connect to server: FATAL: PAM authentication failed for user "readwrite_user"
但是,如果我使用 * 而不是 DbiResourceId - 它可以工作! 所以,这项政策正在发挥作用:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:us-west-2:<My_account_id>:dbuser:*/readwrite_user"
]
}
]
}
我只有一个数据库资源,而且我确定我使用了正确的 DbiResourceId,它在我的设置中并由命令返回:
aws rds describe-db-instances --query "DBInstances[*].[DBInstanceIdentifier,DbiResourceId]" --region $REGION
谁能解释为什么在这种情况下指定 DbiResourceId 会导致错误?
【问题讨论】:
标签: postgresql amazon-web-services amazon-rds amazon-iam