I have followed these steps to connect RDS Proxy to connect RDS from lambda
https://aws.amazon.com/blogs/compute/using-amazon-rds-proxy-with-aws-lambda/
Whenever I'm running in lambda, it's connecting but later whenever we execute query it will disconnect by showing this message
FATAL: RDS Proxy supports only IAM or MD5 authentication.
While troubleshooting
1)I have added AmazonRDSDataFullAccess to role.
2)I have added below one's also to policy
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:eu-west-1:[acct-id]:key/*",
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.eu-west-1.amazonaws.com"
}
}
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:ue-west-1:[acct-id]:dbuser:prx-ABCDEFGHIJKL01234/*"
]
}
]
}
3)Created a new read-write role within my actual RDS instance same as IAM name
4)Only thing is that I couldn't create DefaultEncryptionKey instead I was getting my secret key only to select
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname ${host} --port 5432 --region eu-west-1 --username iamuser)"
psql -h ${host} -p 5432 -d postgres -U iamuser
psql (14.4, server 13.4)
SSL connection (protocol: TLSv1.3, cipher:***, bits: 256, compression: off)
Type "help" for help.
postgres=> select current_user;
FATAL: RDS Proxy supports only IAM or MD5 authentication
SSL connection has been closed unexpectedly
The connection to the server was lost. Attempting reset: Succeeded.
psql (14.4, server 13.4)
SSL connection (protocol: TLSv1.3, cipher: ***, bits: 256, compression: off)
I have the same issue. Fixed by creating a new user in the PostgreSQL database and using that user for the proxy.
With the default user:
$ export RDSHOSTNAME="mycluster.proxy-xxxxxxx"
$ export RDSREGION="eu-central-1"
$ export PGDATABASE="mydatabase"
$ export PGUSER="mydefaultuser"
$ export PGHOST="${RDSHOSTNAME}.${RDSREGION}.rds.amazonaws.com"
$ export PGSSLROOTCERT="/tmp/rds-ca.pem"
$ export PGSSLMODE="verify-full"
$ export PGPASSWORD="$(aws rds generate-db-auth-token --hostname ${PGHOST} --port 5432 --region ${RDSREGION} --username ${PGUSER})"
$ psql
psql (13.7 (Debian 13.7-0+deb11u1), server 13.4)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.
mydatabase=> select * from mytable;
FATAL: RDS Proxy supports only IAM or MD5 authentication.
SSL connection has been closed unexpectedly
The connection to the server was lost. Attempting reset: Succeeded.
psql (13.7 (Debian 13.7-0+deb11u1), server 13.4)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Create a new user for the proxy:
CREATE ROLE rdsproxyuser WITH LOGIN PASSWORD '123456';
GRANT ALL PRIVILEGES ON DATABASE mydatabase to rdsproxyuser;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO rdsproxyuser;
$ export RDSHOSTNAME="mycluster.proxy-xxxxxxx"
$ export RDSREGION="eu-central-1"
$ export PGDATABASE="mydatabase"
$ export PGUSER="rdsproxyuser"
$ export PGHOST="${RDSHOSTNAME}.${RDSREGION}.rds.amazonaws.com"
$ export PGSSLROOTCERT="/tmp/rds-ca.pem"
$ export PGSSLMODE="verify-full"
$ export PGPASSWORD="$(aws rds generate-db-auth-token --hostname ${PGHOST} --port 5432 --region ${RDSREGION} --username ${PGUSER})"
$ psql
psql (13.7 (Debian 13.7-0+deb11u1), server 13.4)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.
mydatabase=> select * from mytable;
id | column1 | column2 | column3
---+---------+---------+---------
SNIP
My main guess is that AWS RDS doesn’t use MD5 for storing the password of the default account but scram-sha-256 which is not supported by the proxy.
https://www.postgresql.org/docs/13/auth-password.html
Related
I'm setting a replica set on 3 mongodb instances on debian 9 and I enabled TLS authentication for the replica set members. Here's the configuration :
security:
authorization: enabled
clusterAuthMode: x509
net:
tls:
mode: requireTLS
certificateKeyFile: crt-key.pem
CAFile: chain.crt
clusterFile: crt-key.pem
certificateKeyFilePassword: XXXXXX
clusterPassword: XXXXXX
allowConnectionsWithoutCertificates: true
replication:
replSetName: "my-replica-set"
The replication works fine but I can't connect with a username/password to the database :
mongosh --port 27017 --authenticationDatabase "admin" -u "user" -p
MongoServerSelectionError: connection <monitor> to 127.0.0.1:27017 closed
Here's the log :
{"t":{"$date":"2022-05-30T18:02:07.696+02:00"},"s":"I", "c":"NETWORK", "id":22988, "ctx":"conn30","msg":"Error receiving request from client. Ending connection from remote","attr":{"error":{"code":141,"codeName":"SSLHandshakeFailed","errmsg":"The server is configured to only allow SSL connections"},"remote":"127.0.0.1:46486","connectionId":30}}
net:
tls:
certificateKeyFile: crt-key.pem
clusterFile: crt-key.pem
is redundant. If clusterFile is not provided then certificateKeyFile is used. So, you can simply use
net:
tls:
mode: requireTLS
certificateKeyFile: crt-key.pem
CAFile: chain.crt
certificateKeyFilePassword: XXXXXX
allowConnectionsWithoutCertificates: true
mode: requireTLS means, client and replicaset members have to use TLS/SSL, thus you must enable TLS/SSL also for client.
You need to specify tls option:
mongosh --tls --port 27017 --authenticationDatabase "admin" -u "user" -p
Depending on your openssl library version, you may also have to specify the CA-File, i.e.
mongosh --tls --tlsCAFile "chain.crt" --port 27017 --authenticationDatabase "admin" -u "user" -p
If you like to enable TLS/SSL only for replicaset members, then use
net:
tls:
mode: preferTLS
Now, you can connect with
mongosh --port 27017 --authenticationDatabase "admin" -u "user" -p
Note, depending on your CA this setup can be security risk. If chain.crt is your own CA protected with your secret private key, then you are on the safe side. However, chain.crt also could be a company wide, commonly used CA. In this case an attacker only needs to create an arbitrary certificate where the Organization attributes (O's), the Organizational Unit attributes (OU's), and the Domain Components (DC's) matches the crt-key.pem and which is accepted by chain.crt (which could be done by a simple ticket to your IT department).
Organization attributes (O's), the Organizational Unit attributes (OU's), and the Domain Components (DC's) of crt-key.pem server certificate you get simply by
openssl s_client -showcerts -connect <hostname>:27017
I'm trying to connect to a remote psql server and I get the below error:
psql: FATAL: no pg_hba.conf entry for host "IP_Address", user "root", database "testdb", SSL off
psql: could not connect to server: No such file or directory
PostgreSQL server log:
t[2020-04-15 16:42:30.634 +03] p[19813] hp[<IP_Address>(51448)] db[[unknown]] u[[unknown]] a[[unknown]] tx[0:] s[5e970f46.4d65:1] e[00000] i[] LOG: connection received: host=<IP_Address> port=51448
t[2020-04-15 16:42:30.636 +03] p[19813] hp[<IP_Address>(51448)] db[testdb] u[root] a[[unknown]] tx[0:5/276857] s[5e970f46.4d65:2] e[28000] i[authentication] FATAL: no pg_hba.conf entry for host "<IP_Address>", user "root", database "testdb", SSL off
Psql server receives the connection but cant authenticate the user for db but root user have all privileges on testdb.
I have the following entry in my hba conf:
host testdb root <IP_Address/32> trust
I have the following lines in my bash script which connects to remote psql and insert required values.
database="testdb"
result=`df -h`
hostname=`hostname`
psql -h <IP_Address> -U root -d $database -c "INSERT INTO os.info VALUES ('$hostname','$result')"
The user root in psql hasn't got password. Script is working fine in local psql server .
In your PSQL connection string the IP_Address need to be replace with the IP of remote server.
Are you declaring the IP_Address parameter in your bash script?
if yes then your psql connection string need to use that parameter by replacing IP_Address with $IP_Address and string will be like
psql -h $IP_Address -U root -d $database -c "INSERT INTO os.info VALUES ('$hostname','$result')"
I have a trouble. I can't connect to my mongodb server via SSL from Windows 10. I connected to the server from Ubuntu successfully.
Command:
mongo.exe --host myHost -u myUser -p myPassword --ssl --sslPEMKeyFile C:\mongo-client.pem --sslCAFile C:\mongo-client.crt --sslPEMKeyPassword myKey
On Windows I got error:
Failed global initialization: InvalidSSLConfiguration Encrypted private keys are not supported, use the Windows certificate store instead: C:\mongo-client.pem
I'm trying to connect remotely on a mongodb server throw my local machine, but i'm having some issues.
On the remote server i modified the 'mongod.cfg' file and i changed the bindIp from 127.0.0.1 to 0.0.0.0 to allow access. In the same file i changed the security by adding Authentication: 'enabled'.
I created an admin user:
> use admin
> db.createUser({user: "root", pwd: "root", roles:["root"]})
I started mongodb with --auth flag
> mongod --auth --port 27017
Once the server was up, i connect to it as administrator
mongo 127.0.0.1:27017 -u "root" -p "root" --authenticationDatabase "admin"
Once i was connected, i created a normal user
> use base
> db.createUser({user: "base", pwd: "base", roles:["dbOwner"]})
Then i disconnected from mongo shell and reconnected with new user credentials
> mongo 127.0.0.1/base -u "base" -p "base"
It worked properly on the remote server.
On the local machine i tried:
> mongo <ip address of the server>/base -u "base" -p "base"
I'm getting this error:
> mongo <ip address>:27017/base -u "base" -p "base"
[js] Error: couldn't connect to server <ip address>:27017, connection attempt failed: SocketException: Error connecting to <ip address>:27017 :: caused by :: Operation timed out :
connect#src/mongo/shell/mongo.js:344:17
#(connect):2:6
exception: connect failed
Could be that your local machine and remote server use different versions of MongoDB shell.
Which versions of mongo shell are you using?
You would also need to enclose the connection string in double quotes:
mongo "<ip address>:27017/base" -u "base" -p "base".
Another issue could be that you need to white list your i.p or configure your firewall rules.
I am trying to log into PostgreSQL on my EC2 server via SSH using Navicat.
I get the following error message:
"80070007: SSH Tunnel: Socket error on connecting. WSAGetLastError return 10061($274D)"
On the server, the "role" postgres already exists, and there is already a database called postgres. I have assigned a password to postgres (using ALTER NAME command via Putty).
The SSH settings I am using in Navicat are:
Port: 5432
User Name: [admin user name]
Authentication Method: Public Key
The Connection settings are:
Host Name: localhost
Port: 3306
Initial Database: postgres
User Name: postgres
Password: [password]
When I connect to the MySQL server on the same machine, the settings are exactly the same except for:
SSH to Port 22
User Name (for connection): root (with corresponding password)
I have tried the SSH to port 22, in which case the error message is:
"could not connect to server: Connection refused (0x0000274D/10061)
Is the server running on host "localhost" and accepting TCP/IP connections on port 60122?
received invalid response to SSL negotiation:4"
Any ideas on what settings I need to change to get this to work?
Your config seems to be very wrong.
ssh port should be not 5432, but 22 (ssh default).
postgresql port should be not 3306 (this is actually MySQL), but 5432 (postgres default)
To verify your setup, try ssh-ing into your EC2 instance manually.
After you ssh in, check if you can execute "telnet localhost 5432".
If you see an error immediately, that would mean that postgres server is not running.
If you see nothing - this is good sign and means that Postgres is running.
You can quit from this by Ctrl-], q, Enter.
Note that EC2 instances may require you to use ssh public key authentication (not a password). In this case, you will have to find option in Navicat to provide such a key.