Search code examples
amazon-redshiftamazon-rdsamazon-redshift-spectrum

Redshift-Postgres RDS federated query: Authentication method 10 not supported

VPC is configured, secret is in Secrets Manager with correct policy attached to Redshift cluster.

Created external schema using

CREATE EXTERNAL SCHEMA schema_ext
FROM POSTGRES
DATABASE 'db' SCHEMA 'schema'
URI 'rds.some_symbols.eu-west-1.rds.amazonaws.com' PORT 5432
IAM_ROLE 'arn:aws:iam::999999999999:role/redshift-iam-role'
SECRET_ARN 'arn:aws:secretsmanager:eu-west-1:999999999999:secret:some-secret-some-symbols';

But when I try to run query to some table in this schema I get error:

  SQL Error [XX000]: ERROR: 
  -----------------------------------------------
  error:  authentication method 10 not supported

  code:      25300
  context:   
  query:     0
  location:  pgclient.cpp:535
  process:   padbmaster [pid=2022]
  -----------------------------------------------

Details for this error are following

org.jkiss.dbeaver.model.sql.DBSQLException: SQL Error [XX000]: ERROR: 
  -----------------------------------------------
  error:  authentication method 10 not supported

  code:      25300
  context:   
  query:     0
  location:  pgclient.cpp:535
  process:   padbmaster [pid=2022]
  -----------------------------------------------

    at org.jkiss.dbeaver.model.impl.jdbc.exec.JDBCStatementImpl.executeStatement(JDBCStatementImpl.java:133)
    at org.jkiss.dbeaver.ui.editors.sql.execute.SQLQueryJob.executeStatement(SQLQueryJob.java:575)
    at org.jkiss.dbeaver.ui.editors.sql.execute.SQLQueryJob.lambda$1(SQLQueryJob.java:484)
    at org.jkiss.dbeaver.model.exec.DBExecUtils.tryExecuteRecover(DBExecUtils.java:172)
    at org.jkiss.dbeaver.ui.editors.sql.execute.SQLQueryJob.executeSingleQuery(SQLQueryJob.java:491)
    at org.jkiss.dbeaver.ui.editors.sql.execute.SQLQueryJob.extractData(SQLQueryJob.java:878)
    at org.jkiss.dbeaver.ui.editors.sql.SQLEditor$QueryResultsContainer.readData(SQLEditor.java:3526)
    at org.jkiss.dbeaver.ui.controls.resultset.ResultSetJobDataRead.lambda$0(ResultSetJobDataRead.java:118)
    at org.jkiss.dbeaver.model.exec.DBExecUtils.tryExecuteRecover(DBExecUtils.java:172)
    at org.jkiss.dbeaver.ui.controls.resultset.ResultSetJobDataRead.run(ResultSetJobDataRead.java:116)
    at org.jkiss.dbeaver.ui.controls.resultset.ResultSetViewer$ResultSetDataPumpJob.run(ResultSetViewer.java:4868)
    at org.jkiss.dbeaver.model.runtime.AbstractJob.run(AbstractJob.java:105)
    at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
Caused by: com.amazon.redshift.util.RedshiftException: ERROR: 
  -----------------------------------------------
  error:  authentication method 10 not supported

  code:      25300
  context:   
  query:     0
  location:  pgclient.cpp:535
  process:   padbmaster [pid=2022]
  -----------------------------------------------

    at com.amazon.redshift.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2601)
    at com.amazon.redshift.core.v3.QueryExecutorImpl.processResultsOnThread(QueryExecutorImpl.java:2269)
    at com.amazon.redshift.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1880)
    at com.amazon.redshift.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1872)
    at com.amazon.redshift.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:368)
    at com.amazon.redshift.jdbc.RedshiftStatementImpl.executeInternal(RedshiftStatementImpl.java:514)
    at com.amazon.redshift.jdbc.RedshiftStatementImpl.execute(RedshiftStatementImpl.java:435)
    at com.amazon.redshift.jdbc.RedshiftStatementImpl.executeWithFlags(RedshiftStatementImpl.java:376)
    at com.amazon.redshift.jdbc.RedshiftStatementImpl.executeCachedSql(RedshiftStatementImpl.java:362)
    at com.amazon.redshift.jdbc.RedshiftStatementImpl.executeWithFlags(RedshiftStatementImpl.java:339)
    at com.amazon.redshift.jdbc.RedshiftStatementImpl.execute(RedshiftStatementImpl.java:329)
    at org.jkiss.dbeaver.model.impl.jdbc.exec.JDBCStatementImpl.execute(JDBCStatementImpl.java:329)
    at org.jkiss.dbeaver.model.impl.jdbc.exec.JDBCStatementImpl.lambda$0(JDBCStatementImpl.java:131)
    at org.jkiss.dbeaver.utils.SecurityManagerUtils.wrapDriverActions(SecurityManagerUtils.java:94)
    at org.jkiss.dbeaver.model.impl.jdbc.exec.JDBCStatementImpl.executeStatement(JDBCStatementImpl.java:131)
    ... 12 more

I tried to run the same query from query editor in AWS Console for Redshift. The error seems to be the same

ERROR: ----------------------------------------------- error: authentication method 10 not supported code: 25300 context: query: 0 location: pgclient.cpp:535 process: padbmaster [pid=12588] -----------------------------------------------

I tried to update JDBC client drivers. No result.

Maybe the problem is in the custom KMS key used to encrypt the secret. But the guy who understands how it works tells that "it decrypts and only then goes for authorization".

What should I do to avoid this error?

Solution

  • For now, there is no answer in Redshift documentation.

    But what helped is explicit change of encryption to MD5 on RDS side for the Redshift user

    set password_encryption = 'md5';
ALTER ROLE ... PASSWORD ...;

    Also, don't forget to run ANALYZE after dropping an object on RDS side. SELECT on fresh objects can return an error for Redshift.