Re: Amazon RDS auth tokens in .pgpass - Mailing list pgsql-admin
| From | Tom Lane |
|---|---|
| Subject | Re: Amazon RDS auth tokens in .pgpass |
| Date | |
| Msg-id | 4119486.1598897040@sss.pgh.pa.us Whole thread Raw |
| In response to | Amazon RDS auth tokens in .pgpass (Nicholas Chammas <nicholas.chammas@gmail.com>) |
| Responses |
Re: Amazon RDS auth tokens in .pgpass
(Nicholas Chammas <nicholas.chammas@gmail.com>)
|
| List | pgsql-admin |
Nicholas Chammas <nicholas.chammas@gmail.com> writes: > I am trying to connect to a Postgres database on Amazon RDS using IAM > authentication. This works by having IAM generate an authentication token > that you use as the password for the database user you're connecting as. > You can read more about this here: > https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.AWSCLI.PostgreSQL.html > Here's an example of what one of these auth tokens looks like (with some of > the sections redacted/altered from a real token): > ``` > some-host.us-east-1.rds.amazonaws.com:5432/?DBUser=someuser&Action=connect&X-Amz-SignedHeaders=host&X-Amz-Security-Token=FwoGZXIvYXdzEHcaDD1hC2q3GGNNaftOvCLRAetaDArXOt6kpr1Ac83hzwtPxEojvZzARJN%2Ftys%2BkLnxsP6FmHmIMmMERWeGBiJmNcUyXWYY%2BSU9oduSSeAv%2BCpYy028Cep%2Bpyl1Km3B5axPAA2q0L4NWa41LQOayWF8F7%2FlB540%2B0aSkZ%2BIucM%2BLZXTcQl3Q0nJiIgu65lhuME4q3Mvst1ZEaZWfUegCWGaX0npajiKbNU2Ut3FH%2F6046RxlNwO4jg4vteTcPk%2BfgMjuAkf5gFR9EYMTziRx1dJGJn8VGFLTugGVITQI%2FEC1iuqKNb%2Fs%2FoFMisfzgF1nd7kxcZYYAmQtugBnDuJuIboYwYAXI2qn7HDbhgQ5v%2FwPWfZieWO&X-Amz-Credential=ABCDEFGHIJKLMNOPQRST%2F20200831%2Fus-east-1%2Frds-db%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=900&X-Amz-Date=20200831T163708Z&X-Amz-Signature=fb41c59dcaf4e013eda6885a4d456549366d2612ecf06307d2443b6a44461ab7 > ``` Ugh :-( > It's only the combination of a) .pgpass and b) RDS auth token that doesn't > work. This leads me to believe something is going wrong on a code path > specific to .pgpass, or that there are some undocumented restrictions on > what can go in .pgpass. Looking at the source code, there's a hard-wired restriction that lines of .pgpass can't be more than 320 characters long (well, NAMEDATALEN*5, but very few builds don't have NAMEDATALEN=64). I see that somebody very recently added code to make libpq print a warning for overlength lines, but I wonder why they didn't just, um, remove the restriction. We had not previously heard of a use-case for passwords with hundreds of characters in them, but I guess we need to cope. If you're in a position to rebuild libpq, could you check that changing LINELEN in fe-connect.c to something large enough (like 1K) fixes your problem? While that's clearly one issue, it'd be good to verify that there's not another one lurking behind it. regards, tom lane
pgsql-admin by date: