Acknowledgements
Describe the bug
auth.BuildAuthToken generates an IAM authentication token with the format host:5432?Action=connect&... but the correct format (matching aws rds generate-db-auth-token) is host:5432/?Action=connect&... — a trailing slash is missing after the port and before the query string.
This causes FATAL: PAM authentication failed for user "postgres" (SQLSTATE 28P01) when connecting to Aurora PostgreSQL clusters using Express Configuration with Internet Access Gateway enabled.
The root cause is in connect.go: the endpoint host:5432 is prefixed with https:// and passed to http.NewRequest, but since there is no path component, net/url parses it as a URL with an empty path. The resulting presigned URL has no / between the authority and the query string. The AWS CLI includes a / path, producing a different (and correct) signature.
Regression Issue
Expected Behavior
BuildAuthToken should produce a token with the same format as the AWS CLI's aws rds generate-db-auth-token:
property.cluster-xxx.ap-southeast-2.rds.amazonaws.com:5432/?Action=connect&DBUser=postgres&X-Amz-Algorithm=...
Current Behavior
BuildAuthToken produces:
property.cluster-xxx.ap-southeast-2.rds.amazonaws.com:5432?Action=connect&DBUser=postgres&X-Amz-Algorithm=...
Note the missing / after :5432. I confirmed this by generating both tokens side-by-side — the only difference is the missing slash (and the resulting signature difference). The CLI token works; the SDK token fails with:
FATAL: PAM authentication failed for user "postgres" (SQLSTATE 28P01)
Tested with both lib/pq and pgx drivers — same result with both.
Reproduction Steps
package main
import (
"context"
"fmt"
"strings"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/feature/rds/auth"
)
func main() {
ctx := context.Background()
cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion("ap-southeast-2"))
if err != nil {
panic(err)
}
endpoint := "your-aurora-cluster.cluster-xxx.ap-southeast-2.rds.amazonaws.com:5432"
token, err := auth.BuildAuthToken(ctx, endpoint, "ap-southeast-2", "postgres", cfg.Credentials)
if err != nil {
panic(err)
}
// Observe: token has "...:5432?Action=" — no slash before "?"
fmt.Println("SDK token:", token)
// Compare with: aws rds generate-db-auth-token --hostname <host> --port 5432 --region ap-southeast-2 --username postgres
// CLI token has "...:5432/?Action=" — slash present
// Workaround:
fixed := strings.Replace(token, ":5432?", ":5432/?", 1)
fmt.Println("Fixed token:", fixed)
// The fixed token works; the original does not (on Aurora Express Configuration w/ Internet Access Gateway).
}To reproduce the auth failure, connect to an Aurora Express Configuration cluster with InternetAccessGatewayEnabled: true running PostgreSQL, using IAM database authentication.
Possible Solution
Workaround: strings.Replace(token, ":5432?", ":5432/?", 1)
Additional Information/Context
- The Aurora cluster is an Express Configuration cluster with
InternetAccessGatewayEnabled: true, running PostgreSQL 17.7 in ap-southeast-2.
- Standard Aurora clusters may tolerate both formats, which is likely why this hasn't surfaced before. The Internet Access Gateway appears to be stricter.
- The same bug was observed in localstack/localstack#11507 where LocalStack's proxy regex also couldn't parse the slash-less format — they worked around it on their end.
AWS Go SDK V2 Module Versions Used
github.com/aws/aws-sdk-go-v2 v1.41.5
github.com/aws/aws-sdk-go-v2/config v1.32.12
github.com/aws/aws-sdk-go-v2/feature/rds/auth v1.6.21
github.com/aws/aws-sdk-go-v2/credentials v1.19.12
Compiler and Version used
go1.26.1 darwin/arm64
Operating System and version
macOS (darwin 26.4) on arm64
Acknowledgements
go get -u github.com/aws/aws-sdk-go-v2/...)Describe the bug
auth.BuildAuthTokengenerates an IAM authentication token with the formathost:5432?Action=connect&...but the correct format (matchingaws rds generate-db-auth-token) ishost:5432/?Action=connect&...— a trailing slash is missing after the port and before the query string.This causes
FATAL: PAM authentication failed for user "postgres" (SQLSTATE 28P01)when connecting to Aurora PostgreSQL clusters using Express Configuration with Internet Access Gateway enabled.The root cause is in
connect.go: the endpointhost:5432is prefixed withhttps://and passed tohttp.NewRequest, but since there is no path component,net/urlparses it as a URL with an empty path. The resulting presigned URL has no/between the authority and the query string. The AWS CLI includes a/path, producing a different (and correct) signature.Regression Issue
Expected Behavior
BuildAuthTokenshould produce a token with the same format as the AWS CLI'saws rds generate-db-auth-token:Current Behavior
BuildAuthTokenproduces:Note the missing
/after:5432. I confirmed this by generating both tokens side-by-side — the only difference is the missing slash (and the resulting signature difference). The CLI token works; the SDK token fails with:Tested with both
lib/pqandpgxdrivers — same result with both.Reproduction Steps
To reproduce the auth failure, connect to an Aurora Express Configuration cluster with
InternetAccessGatewayEnabled: truerunning PostgreSQL, using IAM database authentication.Possible Solution
Workaround:
strings.Replace(token, ":5432?", ":5432/?", 1)Additional Information/Context
InternetAccessGatewayEnabled: true, running PostgreSQL 17.7 inap-southeast-2.AWS Go SDK V2 Module Versions Used
github.com/aws/aws-sdk-go-v2 v1.41.5
github.com/aws/aws-sdk-go-v2/config v1.32.12
github.com/aws/aws-sdk-go-v2/feature/rds/auth v1.6.21
github.com/aws/aws-sdk-go-v2/credentials v1.19.12
Compiler and Version used
go1.26.1 darwin/arm64
Operating System and version
macOS (darwin 26.4) on arm64