search

sfackler / rust-postgres

Native PostgreSQL driver for the Rust programming language
Apache License 2.0
3.46k stars 439 forks source link

RDS IAM Auth not working #1108

Closed albertlockett closed 7 months ago

albertlockett commented 7 months ago

Trying to connect with RDS IAM Auth:

use std::str::FromStr;
use tokio_postgres::{Config as PgConfig, NoTls};

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    // this password is the token generated from:
    // aws rds generate-db-auth-token --hostname albert-test.cluster-abcd123123.us-east-1.rds.amazonaws.com --port 5432 --region us-east-1 --username my_user
    //
    let password = "albert-test.cluster-abcd123123.us-east-1.rds.amazonaws.com:5432/?Action=connect&DBUser=my_user....";

    let connection_cfg = format!("host=albert-test.cluster-abcd123123.us-east-1.rds.amazonaws.com port=5432 dbname=mydb user=my_user password={} sslmode=prefer", password);
    println!("connection_cfg: {}", connection_cfg);
    let cnx = PgConfig::from_str(&connection_cfg).unwrap();
    let (client, conn) = cnx.connect(NoTls).await.unwrap();

    Ok(())
}

This fails with error:

thread 'main' panicked at src/bin/rds_test.rs:32:51:
called `Result::unwrap()` on an `Err` value: Error { kind: Db, cause: Some(DbError { severity: "FATAL", parsed_severity: Some(Fatal), code: SqlState(E28000), message: "pg_hba.conf rejects connection for host \"45.45.101.224\", user \"my_user\", database \"mydb\", no encryption", detail: None, hint: None, position: None, where_: None, schema: None, table: None, column: None, datatype: None, constraint: None, file: Some("auth.c"), line: Some(482), routine: Some("ClientAuthentication") }) }
stack backtrace:
   0: rust_begin_unwind
             at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/std/src/panicking.rs:645:5
   1: core::panicking::panic_fmt
             at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/core/src/panicking.rs:72:14
   2: core::result::unwrap_failed
             at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/core/src/result.rs:1649:5
   3: core::result::Result<T,E>::unwrap
             at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/core/src/result.rs:1073:23
   4: rds_test::main::{{closure}}
             at ./src/bin/rds_test.rs:32:26
   5: <tokio::task::local::RunUntil<T> as core::future::future::Future>::poll::{{closure}}
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/task/local.rs:978:42
   6: tokio::task::local::LocalSet::with::{{closure}}
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/task/local.rs:730:13
   7: std::thread::local::LocalKey<T>::try_with
             at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/std/src/thread/local.rs:270:16
   8: std::thread::local::LocalKey<T>::with
             at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/std/src/thread/local.rs:246:9
   9: tokio::task::local::LocalSet::with
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/task/local.rs:728:9
  10: <tokio::task::local::RunUntil<T> as core::future::future::Future>::poll
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/task/local.rs:968:9
  11: tokio::task::local::LocalSet::run_until::{{closure}}
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/task/local.rs:635:19
  12: <core::pin::Pin<P> as core::future::future::Future>::poll
             at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/core/src/future/future.rs:124:9
  13: tokio::runtime::scheduler::current_thread::CoreGuard::block_on::{{closure}}::{{closure}}::{{closure}}
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/runtime/scheduler/current_thread/mod.rs:665:57
  14: tokio::runtime::coop::with_budget
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/runtime/coop.rs:107:5
  15: tokio::runtime::coop::budget
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/runtime/coop.rs:73:5
  16: tokio::runtime::scheduler::current_thread::CoreGuard::block_on::{{closure}}::{{closure}}
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/runtime/scheduler/current_thread/mod.rs:665:25
  17: tokio::runtime::scheduler::current_thread::Context::enter
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/runtime/scheduler/current_thread/mod.rs:410:19
  18: tokio::runtime::scheduler::current_thread::CoreGuard::block_on::{{closure}}
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/runtime/scheduler/current_thread/mod.rs:664:36
  19: tokio::runtime::scheduler::current_thread::CoreGuard::enter::{{closure}}
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/runtime/scheduler/current_thread/mod.rs:743:68
  20: tokio::runtime::context::scoped::Scoped<T>::set
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/runtime/context/scoped.rs:40:9
  21: tokio::runtime::context::set_scheduler::{{closure}}
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/runtime/context.rs:176:26
  22: std::thread::local::LocalKey<T>::try_with
             at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/std/src/thread/local.rs:270:16
  23: std::thread::local::LocalKey<T>::with
             at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/std/src/thread/local.rs:246:9
  24: tokio::runtime::context::set_scheduler
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/runtime/context.rs:176:9
  25: tokio::runtime::scheduler::current_thread::CoreGuard::enter
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/runtime/scheduler/current_thread/mod.rs:743:27
  26: tokio::runtime::scheduler::current_thread::CoreGuard::block_on
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/runtime/scheduler/current_thread/mod.rs:652:19
  27: tokio::runtime::scheduler::current_thread::CurrentThread::block_on::{{closure}}
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/runtime/scheduler/current_thread/mod.rs:175:28
  28: tokio::runtime::context::runtime::enter_runtime
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/runtime/context/runtime.rs:65:16
  29: tokio::runtime::scheduler::current_thread::CurrentThread::block_on
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/runtime/scheduler/current_thread/mod.rs:167:9
  30: tokio::runtime::runtime::Runtime::block_on
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/runtime/runtime.rs:348:47
  31: tokio::task::local::LocalSet::block_on
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.35.1/src/task/local.rs:592:9
  32: actix_rt::runtime::Runtime::block_on
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/actix-rt-2.9.0/src/runtime.rs:138:9
  33: actix_rt::system::SystemRunner::block_on
             at /Users/albertlockett/.cargo/registry/src/index.crates.io-6f17d22bba15001f/actix-rt-2.9.0/src/system.rs:245:9
  34: rds_test::main
             at ./src/bin/rds_test.rs:10:1
  35: core::ops::function::FnOnce::call_once
             at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/core/src/ops/function.rs:250:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

The same connection configuration does work as an arg to psql cli -- so I'm thinking it's some issue with how the tokio_postgres library is connecting:

root@c2e374590c13:/# export MYPW="albert-test.cluster-abcd123123.us-east-1.rds.amazonaws.com:5432/?Action=connect&DBUser=my_user...."

root@c2e374590c13:/# psql "host=albert-test.cluster-abcd123123.us-east-1.rds.amazonaws.com port=5432 dbname=mydb user=my_user password=$MYPW sslmode=prefer"
psql (16.0 (Debian 16.0-1.pgdg120+1), server 15.3)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off)
Type "help" for help.

mydb=> \q
sfackler commented 7 months ago

You probably need to connect with TLS.

albertlockett commented 7 months ago

You probably need to connect with TLS.

@sfackler Will the way I've connected not use TLS?

I'm using sslmode=prefer in my config and I pass NoTls to connect which is what we're supposed to pass w/ sslmode=prefer?

let (client, conn) = cnx.connect(NoTls)

https://docs.rs/tokio-postgres/latest/tokio_postgres/tls/struct.NoTls.html

pub struct NoTls; A MakeTlsConnect and TlsConnect implementation which simply returns an error. This can be used when sslmode is none or prefer.

sfackler commented 7 months ago

Like the name implies and documentation states, NoTls will not use TLS. You need to use an actual TLS implementation like postgres-openssl.

albertlockett commented 7 months ago

Like the name implies and documentation states, NoTls will not use TLS. You need to use an actual TLS implementation like postgres-openssl.

Is using TLS without supplying the root cert supported? Sorry, I guess it wasn't clear from the docs how to do that

https://docs.rs/postgres-native-tls/latest/postgres_native_tls/

sfackler commented 7 months ago

https://docs.rs/native-tls/0.2.6/native_tls/struct.TlsConnectorBuilder.html#method.danger_accept_invalid_certs