PAM authentication error with HikariCP and AwsWrapperDataSource with iam plugin

[bradPerkins-hm]

I am trying to do what felixdo was trying to do in this post. The answer seems pretty straightforward, but when I try to use it, I get a PAM authentication error:

"message":"HikariPool-1 - Exception during pool initialization.","logger":"com.zaxxer.hikari.pool.HikariPool","thread_name":"task-1","level":"ERROR","stack_trace":"org.postgresql.util.PSQLException: FATAL: PAM authentication failed for user

The user is autherized, however. When not using the AwsWrapperDataSource I assume a role and generate an IAM token and I am able to connect to the database (I just need to be able to refresh the token after it expires). However, when I implement the AwsWrapperDataSource, I get this PAM authentication error. I tried assuming a role first and generating my own token and setting it as the password, but I still get this PAM authentication error. Does the wrapper use different credentials to generate the token? How do I authorize the AwsWrapperDataSource?

I am using this to connect to the AWS Aurora Postgres databse.

Thanks for the help.

[karenc-bq]

Hi @bradPerkins-hm, thank you for raising this issue.

Could you please answer the following to help with our investigation process:

1. Could you please provide some driver logs? You can enable driver logs via the properties file or via the wrapperLoggerLevel parameter. See the documentation for more informaiton.
2. What is your connection string? Are you using any custom endpoints?
3. Did you specify the IAM database account as the user? For more information on the IAM database account see here.

[bradPerkins-hm]

Thank you for the response. I am just getting back from vacation, I will answer what I can right now though.

1. I will add some driver logs soon when I run it again.
2. I do not have any custom endpoints. I am using the AWSWrapperDataSource properties to set the connection String:

                ds.addDataSourceProperty("jdbcProtocol", "jdbc:postgresql:");
		ds.addDataSourceProperty("serverName", AURORA_HOST);
		ds.addDataSourceProperty("serverPort", AURORA_PORT);
		ds.addDataSourceProperty("database", AURORA_DB_NAME);

3. Yes, the user is set up as per the Postgres IAM Documentation you provided:

CREATE USER {my_user}; 
GRANT rds_iam TO {my_user};

[karenc-bq]

Thank you for the response. How did you specify the IAM authentication plugin?
For reference, here is the code snippet I used to check the plugin behaviour:

  public static void main(String[] args) throws SQLException {
    try (HikariDataSource ds = new HikariDataSource()) {
      ds.setUsername(IAM_USER);

      ds.setDataSourceClassName(AwsWrapperDataSource.class.getName());
      final Properties targetDataSourceProps = new Properties();
      
      // Configure the wrapper to use the IAM Authentication plugin
      targetDataSourceProps.setProperty(PropertyDefinition.PLUGINS.name, "iam,failover,efm");
      
      ds.addDataSourceProperty("jdbcProtocol", "jdbc:postgresql:");
      ds.addDataSourceProperty("serverPort", AURORA_PORT);
      ds.addDataSourceProperty("serverName", AURORA_HOST);
      ds.addDataSourceProperty("database", AURORA_DB_NAME);
      ds.addDataSourceProperty("targetDataSourceClassName", "org.postgresql.ds.PGSimpleDataSource");
      ds.addDataSourceProperty("targetDataSourceProperties", targetDataSourceProps);

      try (Connection conn = ds.getConnection();
          Statement statement = conn.createStatement();
          ResultSet result = statement.executeQuery("SELECT * FROM aurora_db_instance_identifier()")) {

        System.out.println(getResult(result));
      }
    }
  }

[bradPerkins-hm]

This is what I am using:

	public DataSource dataSource() {
		logger.info("Configuring DataSource with " + this);

		// Configure AwsCredentialsManager to use DefaultCredentialsProvider:
		AwsCredentialsManager.setCustomHandler((hostSpec, props) -> DefaultCredentialsProvider.create());

		HikariDataSource ds = new HikariDataSource();

		// Configure the connection pool:
		ds.setUsername(AURORA_USERNAME);

		// Specify the underlying datasource for HikariCP:
		ds.setDataSourceClassName(AwsWrapperDataSource.class.getName());

		// Configure AwsWrapperDataSource:
		ds.addDataSourceProperty("jdbcProtocol", "jdbc:postgresql:");
		ds.addDataSourceProperty("serverName", AURORA_HOST);
		ds.addDataSourceProperty("serverPort", AURORA_PORT);
		ds.addDataSourceProperty("database", AURORA_DB_NAME);

		// The failover plugin throws failover-related exceptions that need to be handled explicitly by HikariCP,
		// otherwise connections will be closed immediately after failover. Set `ExceptionOverrideClassName` to provide
		// a custom exception class:
		ds.setExceptionOverrideClassName("software.amazon.jdbc.util.HikariCPSQLException");

		// Specify the driver-specific data source for AwsWrapperDataSource:
		ds.addDataSourceProperty("targetDataSourceClassName", "org.postgresql.ds.PGSimpleDataSource");

		Properties targetDataSourceProps = new Properties();

		// Enable the IAM authentication plugin along with failover and host monitoring plugins:
		targetDataSourceProps.setProperty("wrapperPlugins", "iam,auroraConnectionTracker,failover,efm");
		ds.addDataSourceProperty("targetDataSourceProperties", targetDataSourceProps);

		return ds;
	}

[karenc-bq]

I am unable to reproduce the PAM error with the provided code snippet.

• Is your AURORA_HOST an instance or a cluster endpoint?
• Are you using a non-default port number?

Could you please add the iamHost, iamRegion and iamDefaultPort configuration parameters to your method?

  public DataSource dataSource() {
    logger.info("Configuring DataSource with " + this);

    // Configure AwsCredentialsManager to use DefaultCredentialsProvider:
    AwsCredentialsManager.setCustomHandler((hostSpec, props) -> DefaultCredentialsProvider.create());

    HikariDataSource ds = new HikariDataSource();

    // Configure the connection pool:
    ds.setUsername(AURORA_USERNAME);

    // Specify the underlying datasource for HikariCP:
    ds.setDataSourceClassName(AwsWrapperDataSource.class.getName());

    // Configure AwsWrapperDataSource:
    ds.addDataSourceProperty("jdbcProtocol", "jdbc:postgresql:");
    ds.addDataSourceProperty("serverName", AURORA_HOST);
    ds.addDataSourceProperty("serverPort", AURORA_PORT);
    ds.addDataSourceProperty("database", AURORA_DB_NAME);

    // The failover plugin throws failover-related exceptions that need to be handled explicitly by HikariCP,
    // otherwise connections will be closed immediately after failover. Set `ExceptionOverrideClassName` to provide
    // a custom exception class:
    ds.setExceptionOverrideClassName("software.amazon.jdbc.util.HikariCPSQLException");

    // Specify the driver-specific data source for AwsWrapperDataSource:
    ds.addDataSourceProperty("targetDataSourceClassName", "org.postgresql.ds.PGSimpleDataSource");

    Properties targetDataSourceProps = new Properties();

    // Enable the IAM authentication plugin along with failover and host monitoring plugins:
    targetDataSourceProps.setProperty("wrapperPlugins", "iam,auroraConnectionTracker,failover,efm");
    targetDataSourceProps.setProperty("iamHost", "aurora-cluster-endpoint");
    targetDataSourceProps.setProperty("iamRegion", "us-east-2");
    targetDataSourceProps.setProperty("iamDefaultPort", "5432");
    ds.addDataSourceProperty("targetDataSourceProperties", targetDataSourceProps);

    return ds;
  }

You can find more information on the parameters here.

[karenc-bq]

The wrapper uses the default credentials provider to fetch credentials. If you require a specific credentials provider, you can configure it through AwsCredentialsManager, for more details and an example, see AWS Credentials Configuration.

[arathi-linvest21]

how to configure this in springboot properties file?