Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

rds.Credentials: cannot generate secret even having lots of characters excluded

See original GitHub issue

What is the problem?

We are getting this error in cloudformation when trying to create a Postgres instance

Reason: The parameter MasterUserPassword is not a valid password. Only printable ASCII characters besides '/', '@', '"', ' ' may be used. (Service: AmazonRDS; Status Code: 400; Error Code: InvalidParameterValue; Request ID: d463b57c-d017-415a-abd6-454db4b08d84)

but we have added all the possible character we could think of in the except. Being quick before cloudformation rolledback the secret, we could see all the secret contained were regular characters.

Reproduction Steps

This is how we generate the credentials

credentials = rds.Credentials.from_generated_secret(
            username=GENERIC_USERNAME,
            secret_name=secret_name,
            # Excluding chars by PSQL url restrictions
            exclude_characters="^ %+~`#$&*()|[]{}:;,-<>?!'/\\\",="
        )

What did you expect to happen?

Create the master password for postgres

What actually happened?

It couldn’t create it

CDK CLI Version

1.125.0

Framework Version

No response

Node.js Version

The one used by codepipeline

OS

The one used by codepipeline

Language

Python

Language Version

No response

Other information

We are having this problem deploying from local and running a codepipeline deploying the cdk.

Issue Analytics

State:
Created 2 years ago
Comments:17 (7 by maintainers)

Top GitHub Comments

1reaction

klangcommented, Apr 8, 2022

@skinny85 I’lll open a separate issue.

I actually only commented on this old issue, because I wanted “the next person” to have a slightly easier way to fix the problem 😃

There are two problems:

the default exclude set isn’t good enough for oracle
“^” can not be the first character in the exclude set.

0reactions

surducommented, Sep 20, 2022

Having the same issue, but with mariaDB and passing the pattern to secretsmanager.Secret instead (as I need to also add a secret rotation schedule).

Even with the suggested solution pattern ( ^%+~$&*()|[]{}:;,-<>?!'/\",=`) doesn’t fix the problem.

My code:

const dbSecret = new secretsmanager.Secret(this, "DBSecret", {
	secretName: "TestDB-Credentials",
	generateSecretString: {
		secretStringTemplate: JSON.stringify({ username: "my-user" }),
		generateStringKey: "password",
		excludeCharacters: " ^%+~`$&*()|[]{}:;,-<>?!'/\\\",=",
	},
});