Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cannot connect to redshift using IAM credentials

See original GitHub issue

Driver version

2.0.888

Redshift version

1.0.31802

Client Operating System

Mac os

Python version

3.8

Problem description

Unable to connect to redshift cluster using IAM role from my local machine using redshift-connector package.

Connection is successful when using normal username & password to connect :

conn = redshift_connector.connect(
                host=<my_redshift_host>,
                database='dev',
                user='redshift-admin',
                password='iajsdoiajsdoijaosdijaojsd'
            )

Error - raise InterfaceError("communication error", e) redshift_connector.error.InterfaceError: ('communication error', gaierror(8, 'nodename nor servname provided, or not known'))

Reproduction code

conn = redshift_connector.connect(
                iam=True,
                database='dev',  
                db_user='redshift-admin', 
                password='', # tried using aws user password 
                user='', # tried using aws username
                cluster_identifier='redshift-cluster-1',
                profile='default'
            )

Issue Analytics

State:
Created 2 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

aseem-poloniexcommented, Oct 21, 2021

Yes
Yes it works with raw username and password
Putting breakpoint revealed that host in core.py was different from actual redshift host. Further investigation showed that region in my ~/.aws/credentials and ~/.aws/config was different from the region where redshift cluster exist. So I set those regions in my credentials and config file to match the redshift region and it worked.

0reactions

Brooke-whitecommented, Oct 21, 2021

Thank you @aseem-poloniex ,

I’ve been unable to reproduce this failure locally. I took the following steps to setup using IAM from the default profile.

Place temporary IAM credentials in ~/.aws/credentials
Executed the following script.

Also, you shouldn’t need to pass user or password to redshift_connector.connect(...), assuming you don’t intend to pass and values.

import redshift_connector

with redshift_connector.connect(
        iam=True,
        database='dev',
        db_user='awsuser',
        cluster_identifier='redshift-cluster-1',
        profile='default'
) as conn:
    with conn.cursor() as cursor:
        cursor.execute('select 1')
        data = cursor.fetchall()
        print(data)

>>> ([1],)

The contents of ~/.aws/credentials

[default]
region=us-east-2
AWS_ACCESS_KEY_ID=xxx
AWS_SECRET_ACCESS_KEY=xxx
AWS_SESSION_TOKEN=xxx

Based on where this error is occurring, the IAM authentication has completed (i.e. hostname, port, and IAM user have been retrieved) and and the problem is with creating a connection to the hostname for cluster (which is returned during the authentication process), which makes me think this is an issue with the IAM role’s configuration or the DNS responder on your Mac. Usually when there is an issue with the IAM role, an error about connection timeout is populated, but I figure this would be good to double check.

I’d recommend trying the following:

verify the IAM role has the proper definition to provide your machine access
(if possible), try connecting to the cluster as a native DB user (i.e. using DB username/password host and port). If you’re unable to do so, this indicates there’s another issue at play here that’s preventing you from accessing the cluster (e.g. misconfigured IAM, VPN required, etc.).
(if possible), set a breakpoint in core.py where the exception is raised. Look to the variables host and port. Are they as expected? What happens if you execute telent <host> <port>?
Restart your Mac’s DNS responder

If you continue to see issue, please generate the debug logs using the instructions here and provide them in this issue so I can investigate further.