IAM error retrieving temp credentials: The security token included in the request is invalid

[tobyayre]

Driver version

2.1.0.7

Redshift version

PostgreSQL 8.0.2 on i686-pc-linux-gnu, compiled by GCC gcc (GCC) 3.4.2 20041017 (Red Hat 3.4.2-6.fc3), Redshift 1.0.38431

Client Operating System

Windows 10

JAVA/JVM version

11.0.12

Table schema

N/A

Problem description

When using MFA with IAM, it is not possible to connect to Redshift Serverless via a network load balancer (NLB) using separate parameters for AccessKeyID, SecretAccessKey and SessionToken.

1. Expected behaviour:
   It should be possible to specify these as 3 separate parameters in the connection string. e.g.
   jdbc:redshift:iam://{nlb-host}:5439/dev?AccessKeyID={xx}&SecretAccessKey={xx}&SessionToken={xx}&isServerless=true
   (note: isServerless=true relates to issue 54)

2. Actual behaviour:
   Error message "IAM error retrieving temp credentials: The security token included in the request is invalid.
   The security token is not invalid because it works perfectly via the CLI.

3. Error message/stack trace:
   IAM error retrieving temp credentials: The security token included in the request is invalid

4. Any other details that can be helpful:
   I overcame this issue by storing the access keys and session token in a named profile and using the Profile parameter in the connection string instead e.g. jdbc:redshift:iam://{nlb-host}:5439/dev?isServerless=true&Profile=my-profile

[iggarish]

Thanks for reporting issue. We will get back to you ASAP. In the mean time if you can generate driver logs that will be helpful to troubleshoot the issue. Try to give IAM credentials as properties instead of in the URL. If it's in URL make sure it's URL encoded.

[iggarish]

did you try by specifying access key, secret key, and session token in the properties instead of URL? Is it working?

[tobyayre]

Hi @iggarish , I managed to get it working by specifying these as properties rather than in the URL. Thanks for your help!