IAM database authentication with a global conditional context key:aws:CurrentTime can not allow only within Specific dates

Hello everyone,

I want to limit the time period during which IAM database authentication connections can be made.

Therefore, I connected to an Aurora PostgreSQL with IAM database authentication enabled from an EC2 with the following IAM policy permissions, but was unable to connect.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": "*",
            "Condition": {
                "DateGreaterThan": {
                    "aws:CurrentTime": "2020-06-06T00:00:00Z"
                },
                "DateLessThan": {
                    "aws:CurrentTime": "2020-06-07T23:59:59Z"
                }
            }
        }
    ]
}

Of course, the current time falls within a specific time frame.

The execution of the command is as follows.

$ RDSHOST=【DB cluster ID】.cluster-XXXXXXXX.ap-northeast-1.rds.amazonaws.com
$ export PGPASSWORD="$( aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --username jane_doe )"
$ psql "host=$RDSHOST dbname=postgres user=jane_doe"
psql: FATAL:  PAM authentication failed for user "jane_doe"
FATAL:  pg_hba.conf rejects connection for host "10.0.0.202", user "jane_doe", database "postgres", SSL off

The documentation states that aws:CurrentTime is always included in the request context.
https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-currenttime
Availability – This key is always included in the request context.

But I think aws:CurrentTime context key is not included in the request context.

By the way ,Using aws:TokenIssueTime instead of aws:CurrentTime was able to allow the limit the time period during.

I hope that you can fix it. Thanks

[kdaily]

Hi @chanhama0312,

I apologize for the delay in response. This does look like an issue with the IAM policy, which I'm not the best to help you with. If you can provide the output of the command with --debug turned on so that the request and response can be viewed, I may be able to assist. Please be sure to sanitize the output and remove any sensitive information. Thanks!

[github-actions]

Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.