AWS RDS & Datagrip - can't connect to DB with IAM auth "case sensitivity plain=mixed"

Question

I have an existing RDS database on AWS that I want to connect to through Datagrip using IAM authentication. I've followed the instructions to a tee. I've enabled IAM auth on the DB, I installed the AWS Toolkit plugin and setup the auth keys. It connects to the server and can show me S3 and poll SQS etc so it's not an issue with communicating with AWS, but when I try to connect to an RDS DB it gives me this strange error:

I've googled around and couldn't find too much information. My setup looks basically like this (with obviously fake data):

I don't understand why the issue is happening. The only part there I don't really understand is the "user", which the docs refer to thusly:

But what is that even referring to? That's not the master username (I tried that, but also that doesn't make sense anyway). It's not referring to my username or access key. The line gets filled automatically when I add the DB through the plugin but I don't know what it is at all, as far as I can tell it looks like a random assortment of characters and numbers.

Note the DB is not publicly accessible, but it shouldn't be (as far as I understand, that's only required when you access the DB through a "normal" authentication with a username and password) and nothing indicates that that's a requirement in the docs anyway (also I would get a different error there).

What am I missing here? What am I doing wrong?

Answer 1

IAM authentication still needs a database user that it connects to, this is what it's referring. There still needs to be a user created like described here. From the page:

To use IAM authentication with PostgreSQL, connect to the DB instance as the master user or a different user who can create users and grant privileges. After connecting, create database users and then grant them the rds_iam role as shown in the following example.

Make sure the specified database user name is the same as a resource in the IAM policy for IAM database access.

Also validate that IAM allows access like described here. You can also check CloudWatch for Postgres logs if the database actually rejects your credentials. You will see auth denied messages. CloudWatch Logs need to be enabled specifically and are not on by default.

Appendix: I also found this guide where it shows how to connect as a master user (step 3)

---

I'm wondering about the part that the DB is not publicly accessible, whereas you are connecting to it via the internet or do you have some specific network setup (VPN/DX?) to the VPC the RDS is running in? Otherwise you still need network access to it, which can be done with bastion hosts and SSM (for example).