Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

using awsProfile parameter to assume another role using Ec2InstanceMetadata not working. #1233

Closed
souradeepDe225 opened this issue Dec 27, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@souradeepDe225
Copy link

souradeepDe225 commented Dec 27, 2024

Describe the bug

I wish to establish connection between an EC2 instance and RDS. Now the role which is attached to the instance doesnot have permissions to connect to the DB, so I have to assume another role and then try to establish connection. So, I created an .aws/config file and added the following line

role_arn = arn:aws:iam::123456789123:role/226722-03-runtime-role
credential_source = Ec2InstanceMetadata

In the connection string I have added the awsProfile parameter
jdbc:aws-wrapper:postgresql://rdsap226722sbx-dd-new-cl.cluster-fkshgfakhr.us-east-1.rds.amazonaws.com:1433/A226722_my_db?user=myuser&awsProfile=226722&wrapperPlugins=iam&iamRegion=us-east-1

Expected Behavior

I expected the connection to be established by assuming the target role in the profile.

What plugins are used? What other connection properties were set?

aws-advanced-jdbc-wrapper-2.5.4.jar, all other AWS packages version-2.23.2

Current Behavior

Getting "PAM authentication failed..." , and here are the logs

Dec 27, 2024 12:53:02 PM software.amazon.jdbc.targetdriverdialect.TargetDriverDialectManager logDialect
FINEST: Target driver dialect set to: 'pgjdbc', software.amazon.jdbc.targetdriverdialect.PgTargetDriverDialect@7e774085.
Dec 27, 2024 12:53:02 PM software.amazon.jdbc.ConnectionPluginChainBuilder getPlugins
FINEST: Plugins order has been rearranged. The following order is in effect: IamAuthConnectionPluginFactory
Dec 27, 2024 12:53:02 PM software.amazon.jdbc.hostlistprovider.RdsHostListProvider refresh
FINEST: Topology:
HostSpec[host=rdsap226722sbx-dd-new-cl.cluster-fkshgfakhr.us-east-1.rds.amazonaws.comyuser, port=1433, WRITER, AVAILABLE, weight=100, null]
Dec 27, 2024 12:53:03 PM software.amazon.jdbc.plugin.iam.IamAuthConnectionPlugin connectInternal
FINEST: Generated new authentication token = ''
Dec 27, 2024 12:53:03 PM software.amazon.jdbc.DriverConnectionProvider connect
FINEST: Connecting to jdbc:postgresql://rdsap226722sbx-dd-new-cl.cluster-fkshgfakhr.us-east-1.rds.amazonaws.comyuser:1433/A226722_my_db
with properties:
[password] ***
[tcpKeepAlive] false
[user] myuser
Dec 27, 2024 12:53:03 PM software.amazon.jdbc.plugin.iam.IamAuthConnectionPlugin connectInternal
FINEST: Error occurred while opening a connection: 'org.postgresql.util.PSQLException: FATAL: PAM authentication failed for user "myuser"'
Exception in thread "main" org.postgresql.util.PSQLException: FATAL: PAM authentication failed for user "myuser"
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:711)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:213)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:268)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:54)
at org.postgresql.jdbc.PgConnection.(PgConnection.java:273)
at org.postgresql.Driver.makeConnection(Driver.java:446)
at org.postgresql.Driver.connect(Driver.java:298)
at software.amazon.jdbc.DriverConnectionProvider.connect(DriverConnectionProvider.java:138)
at software.amazon.jdbc.plugin.DefaultConnectionPlugin.connectInternal(DefaultConnectionPlugin.java:195)
at software.amazon.jdbc.plugin.DefaultConnectionPlugin.connect(DefaultConnectionPlugin.java:178)
at software.amazon.jdbc.ConnectionPluginManager.lambda$connect$6(ConnectionPluginManager.java:378)
at software.amazon.jdbc.ConnectionPluginManager.lambda$null$0(ConnectionPluginManager.java:268)
at software.amazon.jdbc.ConnectionPluginManager.executeWithTelemetry(ConnectionPluginManager.java:245)
at software.amazon.jdbc.ConnectionPluginManager.lambda$makePluginChainFunc$1(ConnectionPluginManager.java:268)
at software.amazon.jdbc.ConnectionPluginManager.lambda$null$2(ConnectionPluginManager.java:273)
at software.amazon.jdbc.plugin.iam.IamAuthConnectionPlugin.connectInternal(IamAuthConnectionPlugin.java:176)
at software.amazon.jdbc.plugin.iam.IamAuthConnectionPlugin.connect(IamAuthConnectionPlugin.java:116)
at software.amazon.jdbc.ConnectionPluginManager.lambda$connect$6(ConnectionPluginManager.java:378)
at software.amazon.jdbc.ConnectionPluginManager.lambda$null$3(ConnectionPluginManager.java:272)
at software.amazon.jdbc.ConnectionPluginManager.executeWithTelemetry(ConnectionPluginManager.java:245)
at software.amazon.jdbc.ConnectionPluginManager.lambda$makePluginChainFunc$4(ConnectionPluginManager.java:272)
at software.amazon.jdbc.ConnectionPluginManager.executeWithSubscribedPlugins(ConnectionPluginManager.java:235)
at software.amazon.jdbc.ConnectionPluginManager.connect(ConnectionPluginManager.java:375)
at software.amazon.jdbc.wrapper.ConnectionWrapper.init(ConnectionWrapper.java:161)
at software.amazon.jdbc.wrapper.ConnectionWrapper.(ConnectionWrapper.java:105)
at software.amazon.jdbc.Driver.connect(Driver.java:183)
at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:683)
at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:191)
at org.example.AwsIamAuthenticationPostgresqlExample.main(AwsIamAuthenticationPostgresqlExample.java:44)
Suppressed: org.postgresql.util.PSQLException: FATAL: pg_hba.conf rejects connection for host "34.201.92.70", user "myuser", database "A226722_my_db", no encryption
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:711)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:213)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:277)
... 26 more

Reproduction Steps

// The Java code I used
package org.example;

import software.amazon.jdbc.PropertyDefinition;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Properties;


public class AwsIamAuthenticationPostgresqlExample {
    public static final String POSTGRESQL_CONNECTION_STRING =
            "jdbc:aws-wrapper:postgresql://rdsap226722sbx-dd-new-cl.cluster-fkshgfakhr.us-east-1.rds.amazonaws.com:1433/A226722_my_db?user=myuser&awsProfile=test&wrapperPlugins=iam&iamRegion=us-east-1";

    public static void main(String[] args) throws SQLException {

        final Properties properties = new Properties();


        properties.setProperty("wrapperLoggerLevel", "finest");

        // Attempt a connection
        try (Connection conn = DriverManager.getConnection(POSTGRESQL_CONNECTION_STRING,properties);
             Statement statement = conn.createStatement();
             ResultSet result = statement.executeQuery("select aurora_db_instance_identifier()")) {

             System.out.println(Util.getResult(result));
        }
    }
}

Possible Solution

No response

Additional Information/Context

I was able to achieve the same using AWS CLI and psql

The AWS Advanced JDBC Driver version used

2.5.4

JDK version used

openjdk 21.0.5 2024-10-15

Operating System and version

ubuntu-24.04

@souradeepDe225 souradeepDe225 added the bug Something isn't working label Dec 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant