我通過Terraform設定了一個Postgresql Aurora DB和一個代理(代碼如下),顯然運行良好。但是由于某些原因,我無法通過代理連接到資料庫。代理聲稱缺乏角色的憑證,但如果我直接連接到資料庫,一切都很好,憑證也在作業。
我試著從 VPN 和直接從 EC2 實體中這樣做:
我試著從 VPN 和直接從 EC2 實體中這樣做。
$ psql h [aurora- endpoint] -p 5432 - d [database] U admin
用戶admin的密碼:。
psql (13.3, server 11.9 )
SSL 連接 (協議: TLSv1. 2, 密碼: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
型別 "幫助" for help.
[database]=>/span>
這樣做可以,但是當我試圖連接到代理時:
$ psql -h [proxy-endpoint] -p 5432 -d [database] -U admin
psql:錯誤。FATAL: 這個RDS代理沒有證書for cellwerkadmin這個角色。檢查證書 for this 角色,重試。
錯誤:該RDS代理沒有針對角色cellwerkadmin的憑證。檢查證書 for this 角色,try 再次。
有沒有人知道這里的問題是什么?
Terraform的代碼。
Terraform代碼:
# Subnet group for Aurora
資源 "aws_db_subnet_group" "aurora_sg_group" {
name = "aurora"/span> "aurora"/span>
subnet_ids = var.private_subnets_ids
標簽 = {
Name = "Aurora DB的子網組"。
}
}
# RDS集群引陣列為Aurora。
資源 "aws_rds_cluster_parameter_group" "aurora_eu_central_1" {
name_prefix = "eu-central-1-aurora-postgres11-cluster-parameter-group" "aurora-postgresql11"/span>
描述 = "eu-central-1-aurora-postgres11-cluster-parameter-group"/span>
}
# Aurora RDS postgresql
模塊 "aurora" {
source = ".../modules/terraform-aws-rds-aurora/"/span>
name = "cellwerk-aurora"。
username = data.aws_ssm_parameter.db_username.value
create_random_password = false
password = data.aws_ssm_parameter.db_password.value
引擎 = "aurora-postgresql"/span>
engine_version = "11.9"/span>
instance_type = "db.r6g.large"/span>
instance_type_replica = "db.t3.medium"/span>
vpc_id = module.link_delivery_eu_central_1.vpc_id
db_subnet_group_name = "aurora"
create_security_group = false[/span]。
allowed_cidr_blocks = concat( ... subnets )
vpc_security_group_ids = [aws_security_group.rds.id] 。
replica_count = 1
replica_scale_enabled = true
replica_scale_min =1
replica_scale_max=5
監控時間 = 60
iam_role_name = "aurora-eu-central-1-enhanced-monitoring"
iam_role_use_name_prefix = false[/span
iam_role_description = "eu-central-1 Aurora RDS enhanced monitoring IAM role"。
iam_role_path = "/autoscaling/"/span>
iam_role_max_session_duration = 7200
apply_immediately = true
skip_final_snapshot = true
db_parameter_group_name = "aurora-postgresl11"
db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.aurora_eu_central_1.name
enabled_cloudwatch_logs_exports = ["postgresql"/span>]
標簽 = {
所有者 = "company""生產"/span>
}
}
# Proxy for Aurora。
資源 "aws_iam_role"/span> "iam_proxy_eu_central_1"/span> {
name = "iam_proxy_eu_central_1"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"宣告": [
{
"Action": "sts:AssumeRole"。
"校長": {
"服務"。"rds.amazonaws.com"。
},
"效果"。"允許"。
"Sid": "".
}
]
}
EOF
}
資源 "aws_iam_policy"/span> "proxy_eu_central_1"/span> {
name = "proxy-eu-central-1"/span>
路徑 = "/"/span>
描述 = "IAM策略用于登錄aurora db"。
策略 = <<EOF
{
"版本"。"2012-10-17",
"宣告": [
{
"行動": [
"secretsmanager:GetResourcePolicy"。
"secretsmanager:GetSecretValue"。
"secretsmanager:DescribeSecret"。
"secretsmanager:ListSecretVersionIds".
],
"資源"。"arn:aws:secretsmanager:eu-central-1:[account]:secret:[company]/aurora-Pa40We"/span>。
"效果"。"允許"。
}
]
}
EOF
}
資源 "aws_db_proxy"/span> "proxy_eu_central_1"/span> {
名稱 = "proxy-eu-central-1"/span>
debug_logging = true
engine_family = "POSTGRESQL"。
idle_client_timeout =1800
require_tls = false
role_arn = aws_iam_role.iam_proxy_eu_central_1.arn
vpc_security_group_ids = [aws_security_group.rds.id]。
vpc_subnet_ids = module.link_delivery_eu_central_1.private_subnets_ids
auth {
auth_scheme = "SECRETS"。
description = "允許連接到aurora db"。
iam_auth = "DISABLED"
secret_arn = "arn:aws:secretsmanager:eu-central-1:[account]:secret:[company]/aurora-Pa40We"。
}
標簽 = {
名稱 = "aurora proxy"/span>
}
}
資源 "aws_db_proxy_default_target_group"/span> "proxy_eu_central_1"/span> {
db_proxy_name = aws_db_proxy.proxy_eu_central_1.name
connection_pool_config {
connection_borrow_timeout = 120 {
init_query = "SET x=1, y=2"。
max_connections_percent = 100
max_idle_connections_percent = 50。
session_pinning_filters = ["EXCLUDE_VARIABLE_SETS"/span>]
}
}
資源 "aws_db_proxy_target"/span> "proxy_eu_central_1"/span> {
db_cluster_identifier = module.aurora.rds_cluster_id
db_proxy_name = aws_db_proxy.proxy_eu_central_1.name
target_group_name = aws_db_proxy_default_target_group.proxy_eu_central_1.name
}
uj5u.com熱心網友回復:
你的aws_iam_policy策略沒有效果。你忘記了將其與角色關聯起來:
resource "aws_iam_policy_attachment"/span> "test-attach"/span> {
name = "role-proxy-attachment"/span>
角色 = [aws_iam_role.proxy_eu_central_1.name] 。
policy_arn = aws_iam_policy.proxy_eu_central_1.arn
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/qiye/308355.html
標籤: