New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws rds generate-db-auth-token creates invalid token when executed inside ECS container #3639
Comments
aws rds generate-db-auth-token
creates invalid token when executed inside ECS container
@ejoebstl - Thank you for reaching out. Based on the information provided so far it appears the IAM role and related policies on the ECS containers may not have sufficient permission to connect to the RDS database. Please review the online documentation below and confirm the container has the correct IAM permissions. Just wanted to add: Thanks. |
Hello, yes, while I initially assumed that this is a cli issue, it seems like a permission issue. I'm currently investigating together with the ecs agent team here. I'm closing this issue. Thanks! |
Hi @ejoebstl , |
Thank you - we came to the same conclusion from the other issue. |
No, the discussion continued in the referenced issue. I will ask to re-open it. |
Is there a solution for this issue ? Im facing same problem when connecting to RDS from ECS/Fargate |
I've created a small service which uses IAM to connect to a postgres database, according to the documentation.
This works fine when I execute it on the local machine using the same policy.
However, when I execute inside a container deployed to ECS, authentication fails with the returned token. The error is:
psql: FATAL: PAM authentication failed for user "backup_user"
.Also, the token returned by the command is significantly longer when invoked on ECS. More specifically, it contains an additional very large parameter called
X-Amz-Security-Token=
.I have verified that all environment variables are equal. When the extra parameter is removed, the created tokens are equal except timestamps and signatures.
When the token from ECS is copied to a local machine (where the commands work), the authentication also fails.
The text was updated successfully, but these errors were encountered: