我有一个生产 PostgreSQL RDS 实例,已经运行了一年多。
有一个日常作业使用
aws_s3最近,在 Postgres 中使用
aws_s3每当我尝试执行
SELECT aws_s3.query_export_to_s3psqlpostgres=> select * from aws_s3.query_export_to_s3('select 1', aws_commons.create_s3_uri('my-bucket', 's3_test/test.txt', 'us-west-2'));
ERROR: credentials stored with the database cluster can’t be accessed
HINT: Has the IAM role Amazon Resource Name (ARN) been associated with the feature-name "s3Export"?
CONTEXT: SQL function "query_export_to_s3" statement 1
为了调试该问题,我创建了一个全新的 PostgreSQL RDS 实例,其所有设置与生产实例相同:相同版本的 PostgreSQL、相同的参数组、相同的安全组等。我什至创建了具有相同角色的相同角色关联对于 s3Export。 (有关描述这两个实例的一些输出,请参阅消息末尾。)这两个实例之间最显着的区别是,一个是在 2022 年 4 月创建的,一个是在 2023 年 8 月创建的。
在新实例上,上述查询可以正常运行,并将文件导出到存储桶。
我尝试重新启动集群,将集群更新到最新的 PostgreSQL 13,删除并恢复 s3Export 角色关联,删除并重新创建
aws_s3aws_commons所以,我的问题是,我该如何解决这个问题?我错过了什么吗?谢谢社区。
以下是一些可能感兴趣的命令结果,出于隐私原因更改了标识符。仅供参考,数据库参数组使用与 AWS 提供的默认 Postgres13 参数组相同的所有值,除了将
rds.custom_dns_resolution$ aws rds describe-db-instances --db-instance-identifier PROD_INSTANCE_ID --out json
{
"DBInstances": [
{
"DBInstanceIdentifier": "PROD_INSTANCE_ID",
"DBInstanceClass": "db.t4g.micro",
"Engine": "postgres",
"DBInstanceStatus": "available",
"MasterUsername": "postgres",
"Endpoint": {
"Address": "PROD_INSTANCE_ID.abcdefabcdef.us-west-2.rds.amazonaws.com",
"Port": 5432,
"HostedZoneId": "Z111111111111"
},
"AllocatedStorage": 100,
"InstanceCreateTime": "2022-04-07T18:33:07.939000+00:00",
"PreferredBackupWindow": "23:46-00:16",
"BackupRetentionPeriod": 7,
"DBSecurityGroups": [],
"VpcSecurityGroups": [
{
"VpcSecurityGroupId": "sg-11111111111111111",
"Status": "active"
}
],
"DBParameterGroups": [
{
"DBParameterGroupName": "postg-postg-prod-params",
"ParameterApplyStatus": "in-sync"
}
],
"AvailabilityZone": "us-west-2b",
"DBSubnetGroup": {
"DBSubnetGroupName": "vpc-11111111111111111",
"DBSubnetGroupDescription": "Created from the RDS Management Console",
"VpcId": "vpc-11111111111111111",
"SubnetGroupStatus": "Complete",
"Subnets": [
{
"SubnetIdentifier": "subnet-11111111111111111",
"SubnetAvailabilityZone": {
"Name": "us-west-2b"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-22222222222222222",
"SubnetAvailabilityZone": {
"Name": "us-west-2a"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
}
]
},
"PreferredMaintenanceWindow": "sat:09:00-sat:09:30",
"PendingModifiedValues": {},
"LatestRestorableTime": "2023-08-18T19:14:31+00:00",
"MultiAZ": true,
"EngineVersion": "13.10",
"AutoMinorVersionUpgrade": true,
"ReadReplicaDBInstanceIdentifiers": [
"arn:aws:rds:us-east-2:111111111111:db:postgres-replica-dev-replica"
],
"LicenseModel": "postgresql-license",
"OptionGroupMemberships": [
{
"OptionGroupName": "default:postgres-13",
"Status": "in-sync"
}
],
"SecondaryAvailabilityZone": "us-west-2a",
"PubliclyAccessible": false,
"StorageType": "gp2",
"DbInstancePort": 0,
"StorageEncrypted": true,
"KmsKeyId": "arn:aws:kms:us-west-2:111111111111:key/KEY_ID_1",
"DbiResourceId": "db-GGG",
"CACertificateIdentifier": "rds-ca-2019",
"DomainMemberships": [],
"CopyTagsToSnapshot": true,
"MonitoringInterval": 60,
"EnhancedMonitoringResourceArn": "arn:aws:logs:us-west-2:111111111111:log-group:RDSOSMetrics:log-stream:db-GGG",
"MonitoringRoleArn": "arn:aws:iam::111111111111:role/rds-monitoring-role",
"DBInstanceArn": "arn:aws:rds:us-west-2:111111111111:db:PROD_INSTANCE_ID",
"IAMDatabaseAuthenticationEnabled": false,
"PerformanceInsightsEnabled": true,
"PerformanceInsightsKMSKeyId": "arn:aws:kms:us-west-2:111111111111:key/KEY_ID_1",
"PerformanceInsightsRetentionPeriod": 7,
"EnabledCloudwatchLogsExports": [
"postgresql",
"upgrade"
],
"DeletionProtection": true,
"AssociatedRoles": [
{
"RoleArn": "arn:aws:iam::111111111111:role/postg-prod-rds-lambda-invoke-role",
"FeatureName": "Lambda",
"Status": "ACTIVE"
},
{
"RoleArn": "arn:aws:iam::111111111111:role/postg-prod-test-rds-s3-role-export",
"FeatureName": "s3Export",
"Status": "ACTIVE"
},
{
"RoleArn": "arn:aws:iam::111111111111:role/postg-prod-rds-s3-role",
"FeatureName": "s3Import",
"Status": "ACTIVE"
}
],
"MaxAllocatedStorage": 1000,
"TagList": [
],
"CustomerOwnedIpEnabled": false,
"ActivityStreamStatus": "stopped",
"BackupTarget": "region",
"NetworkType": "IPV4",
"StorageThroughput": 0,
"CertificateDetails": {
"CAIdentifier": "rds-ca-2019",
"ValidTill": "2024-08-22T17:08:50+00:00"
}
}
]
}
$ aws rds describe-db-instances --db-instance-identifier DEBUG_INSTANCE_ID --out json
{
"DBInstances": [
{
"DBInstanceIdentifier": "DEBUG_INSTANCE_ID",
"DBInstanceClass": "db.t4g.micro",
"Engine": "postgres",
"DBInstanceStatus": "available",
"MasterUsername": "postgres",
"Endpoint": {
"Address": "DEBUG_INSTANCE_ID.abcdefabcdef.us-west-2.rds.amazonaws.com",
"Port": 5432,
"HostedZoneId": "Z111111111111"
},
"AllocatedStorage": 100,
"InstanceCreateTime": "2023-08-18T04:07:15.224000+00:00",
"PreferredBackupWindow": "23:46-00:16",
"BackupRetentionPeriod": 7,
"DBSecurityGroups": [],
"VpcSecurityGroups": [
{
"VpcSecurityGroupId": "sg-11111111111111111",
"Status": "active"
}
],
"DBParameterGroups": [
{
"DBParameterGroupName": "postg-postg-prod-params",
"ParameterApplyStatus": "in-sync"
}
],
"AvailabilityZone": "us-west-2b",
"DBSubnetGroup": {
"DBSubnetGroupName": "vpc-11111111111111111",
"DBSubnetGroupDescription": "Created from the RDS Management Console",
"VpcId": "vpc-11111111111111111",
"SubnetGroupStatus": "Complete",
"Subnets": [
{
"SubnetIdentifier": "subnet-11111111111111111",
"SubnetAvailabilityZone": {
"Name": "us-west-2b"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-22222222222222222",
"SubnetAvailabilityZone": {
"Name": "us-west-2a"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
}
]
},
"PreferredMaintenanceWindow": "sat:09:00-sat:09:30",
"PendingModifiedValues": {},
"LatestRestorableTime": "2023-08-18T19:14:33+00:00",
"MultiAZ": true,
"EngineVersion": "13.10",
"AutoMinorVersionUpgrade": true,
"ReadReplicaDBInstanceIdentifiers": [
"arn:aws:rds:us-east-2:111111111111:db:DEBUG_INSTANCE_ID-replica"
],
"LicenseModel": "postgresql-license",
"OptionGroupMemberships": [
{
"OptionGroupName": "default:postgres-13",
"Status": "in-sync"
}
],
"SecondaryAvailabilityZone": "us-west-2a",
"PubliclyAccessible": false,
"StorageType": "gp2",
"DbInstancePort": 0,
"StorageEncrypted": true,
"KmsKeyId": "arn:aws:kms:us-west-2:111111111111:key/KEY_ID_1",
"DbiResourceId": "db-HH",
"CACertificateIdentifier": "rds-ca-2019",
"DomainMemberships": [],
"CopyTagsToSnapshot": true,
"MonitoringInterval": 60,
"EnhancedMonitoringResourceArn": "arn:aws:logs:us-west-2:111111111111:log-group:RDSOSMetrics:log-stream:db-HH",
"MonitoringRoleArn": "arn:aws:iam::111111111111:role/rds-monitoring-role",
"DBInstanceArn": "arn:aws:rds:us-west-2:111111111111:db:DEBUG_INSTANCE_ID",
"IAMDatabaseAuthenticationEnabled": false,
"PerformanceInsightsEnabled": true,
"PerformanceInsightsKMSKeyId": "arn:aws:kms:us-west-2:111111111111:key/KEY_ID_1",
"PerformanceInsightsRetentionPeriod": 7,
"EnabledCloudwatchLogsExports": [
"postgresql",
"upgrade"
],
"DeletionProtection": true,
"AssociatedRoles": [
{
"RoleArn": "arn:aws:iam::111111111111:role/postg-prod-test-rds-lambda-invoke-role",
"FeatureName": "Lambda",
"Status": "ACTIVE"
},
{
"RoleArn": "arn:aws:iam::111111111111:role/postg-prod-test-rds-s3-role-export",
"FeatureName": "s3Export",
"Status": "ACTIVE"
},
{
"RoleArn": "arn:aws:iam::111111111111:role/postg-prod-test-rds-s3-role",
"FeatureName": "s3Import",
"Status": "ACTIVE"
}
],
"MaxAllocatedStorage": 1000,
"TagList": [
],
"CustomerOwnedIpEnabled": false,
"ActivityStreamStatus": "stopped",
"BackupTarget": "region",
"NetworkType": "IPV4",
"StorageThroughput": 0,
"CertificateDetails": {
"CAIdentifier": "rds-ca-2019",
"ValidTill": "2024-08-22T17:08:50+00:00"
}
}
]
}
$ aws iam get-role --role postg-prod-test-rds-s3-role-export
{
"Role": {
"Path": "/",
"RoleName": "postg-prod-test-rds-s3-role-export",
"RoleId": "ROLE_ID",
"Arn": "arn:aws:iam::111111111111:role/postg-prod-test-rds-s3-role-export",
"CreateDate": "2023-08-18T04:03:36+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "rds.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600,
"Tags": [
{
"Key": "ProjectName",
"Value": "postg"
},
{
"Key": "StackName",
"Value": "postg-prod"
},
{
"Key": "Name",
"Value": "postg_postg-prod"
}
],
"RoleLastUsed": {
"LastUsedDate": "2023-08-18T04:31:16+00:00",
"Region": "us-west-2"
}
}
}
$ aws iam list-role-policies --role postg-prod-test-rds-s3-role-export
{
"PolicyNames": [
"s3_export"
]
}
$ aws iam get-role-policy --role postg-prod-test-rds-s3-role-export --policy s3_export
{
"RoleName": "postg-prod-test-rds-s3-role-export",
"PolicyName": "s3_export",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "s3export",
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket/*",
"arn:aws:s3:::my-bucket"
]
}
]
}
}
您需要将 IAM 角色附加到您的 RDS 集群,该角色对您要导出到的存储桶具有写入权限。
申请角色后需要几分钟才能工作