【问题标题】：How to solve AWS RDS issue: psycopg2.OperationalError: FATAL: password authentication failed for user "root"如何解决 AWS RDS 问题：psycopg2.OperationalError: FATAL: password authentication failed for user "root"
【发布时间】：2021-08-07 00:48:21
【问题描述】：

我正在使用 terraform 并构建了以下基础架构：

具有公共子网的 VPC
ECS Fargate 和 ECR
公有子网中的公有 RDS 实例

我使用 django 作为后端框架。

一切似乎都很好（docker compose logs 报告很好，我可以通过终端中的 psql 和 RDS 端点访问 AWS RDS），直到 ECS 的任务开始然后立即停止并显示日志消息：

psycopg2.OperationalError: FATAL: 用户“root”的密码验证失败

这里是来自docker-compose logs的日志

db          | The files belonging to this database system will be owned by user "postgres".
db          | This user must also own the server process.
db          | 
db          | The database cluster will be initialized with locale "en_US.utf8".
db          | The default database encoding has accordingly been set to "UTF8".
db          | The default text search configuration will be set to "english".
db          | 
db          | Data page checksums are disabled.
db          | 
db          | fixing permissions on existing directory /var/lib/postgresql/data ... ok
db          | creating subdirectories ... ok
db          | selecting dynamic shared memory implementation ... posix
db          | selecting default max_connections ... 100
db          | selecting default shared_buffers ... 128MB
db          | selecting default time zone ... Etc/UTC
db          | creating configuration files ... ok
db          | running bootstrap script ... ok
db          | performing post-bootstrap initialization ... ok
db          | syncing data to disk ... ok
db          | 
db          | 
db          | Success. You can now start the database server using:
db          | 
db          |     pg_ctl -D /var/lib/postgresql/data -l logfile start
db          | 
db          | initdb: warning: enabling "trust" authentication for local connections
db          | You can change this by editing pg_hba.conf or using the option -A, or
db          | --auth-local and --auth-host, the next time you run initdb.
db          | waiting for server to start....2021-08-08 16:34:32.374 UTC [48] LOG:  starting PostgreSQL 13.3 (Debian 13.3-1.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit
db          | 2021-08-08 16:34:32.375 UTC [48] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
db          | 2021-08-08 16:34:32.382 UTC [49] LOG:  database system was shut down at 2021-08-08 16:34:31 UTC
db          | 2021-08-08 16:34:32.388 UTC [48] LOG:  database system is ready to accept connections
db          |  done
db          | server started
db          | CREATE DATABASE
db          | 
db          | 
db          | /usr/local/bin/docker-entrypoint.sh: ignoring /docker-entrypoint-initdb.d/*
db          | 
db          | 2021-08-08 16:34:32.842 UTC [48] LOG:  received fast shutdown request
db          | waiting for server to shut down....2021-08-08 16:34:32.844 UTC [48] LOG:  aborting any active transactions
db          | 2021-08-08 16:34:32.850 UTC [48] LOG:  background worker "logical replication launcher" (PID 55) exited with exit code 1
db          | 2021-08-08 16:34:32.851 UTC [50] LOG:  shutting down
db          | 2021-08-08 16:34:32.886 UTC [48] LOG:  database system is shut down
db          |  done
db          | server stopped
db          | 
db          | PostgreSQL init process complete; ready for start up.
db          | 
db          | 2021-08-08 16:34:33.008 UTC [1] LOG:  starting PostgreSQL 13.3 (Debian 13.3-1.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit
db          | 2021-08-08 16:34:33.008 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
db          | 2021-08-08 16:34:33.008 UTC [1] LOG:  listening on IPv6 address "::", port 5432
db          | 2021-08-08 16:34:33.012 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
db          | 2021-08-08 16:34:33.017 UTC [76] LOG:  database system was shut down at 2021-08-08 16:34:32 UTC
db          | 2021-08-08 16:34:33.024 UTC [1] LOG:  database system is ready to accept connections

来自RDS的日志

2021-08-06 16:56:12 UTC:10.0.2.174(39934):root@testdb:[5710]:DETAIL:  Role "root" does not exist.
    Connection matched pg_hba.conf line 13: "host   all             all         all         md5"

Dockerfile

FROM python:3.8

ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1

WORKDIR /backend

COPY  requirements.txt /backend/

RUN pip install -r requirements.txt && \
    pip install --upgrade pip


COPY . /backend/


COPY ./entrypoint.sh /

ENTRYPOINT ["sh", "/entrypoint.sh"]

入口点.sh

#!/bin/sh

set -e

python manage.py migrate --no-input

python manage.py collectstatic --no-input

gunicorn backend.wsgi:application --bind 0.0.0.0:8000

我不知道为什么会这样。

谁能帮我理解一下，因为本地PostgreSQL没有任何问题。

【问题讨论】：

你用psql登录的时候，是不是为名为'root'的数据库账户做的？
@jjanes no 我使用本地用户登录，我在 django 的 settings.py 中使用了相同的凭据 + 用户，当我创建 rds 实例时。
错误信息很清楚。创建或读取 settings.py 时一定出了问题
你检查过postgresql的日志文件吗？您需要在 pg_hba.conf 中输入一个条目吗？
最好的猜测是您没有在连接中提供数据库用户名，而是以root 用户身份运行该连接。检查 Postgres 日志，看看在连接被拒绝之前发生了什么。

标签： python python-3.x postgresql amazon-web-services docker

【解决方案1】：

您不能将 root 数据库帐户用于 RDS 数据库。那是一个只有亚马逊才能访问的保留帐户。您需要检查您的 RDS 数据库配置并找出您的管理员帐户名称。

【讨论】：

感谢您为我指明了正确的方向和未来的自我。您所要做的就是将 docker 容器设置为非 root 用户...解决了！
不！ docker 容器用户应该与正在使用的数据库帐户名称无关，除非您没有在代码中正确设置数据库帐户名称。
它现在可以工作了，只要我将 Dockerfile 设置为非 root，我就可以从 AWS 负载均衡器 DNS 提供的浏览器访问应用程序 100% 没问题