Unable to connect to aws-rds with OIDC Federation

I tried setting up OIDC Federation for AWS and was not successful. Based on errors I am unsure how to proceed with debugging. Any help much appreciated.

Replication steps

Basic setup

  1. npx create-next-app → follow setup (ts, app-router)
  2. vercel
  3. Enable OIDC

Configure AWS account

1. Creating OIDC IdP
This was easy and the screenshot very helpful :white_check_mark:

2. Creating the IAM role
A screenshot would have been helpful, it was initially not clear enough to me

  • to select “Custom trust policy” in that flow.
  • to know which appropriate policies to attach to make the example work.
  1. IAM > Roles > Create role > Select trusted entity > Custom trust policy > Copy/paste policy from guide > Replace [TEAM_SLUG] and [YOUR AWS ACCOUNT ID] > Next
  2. Add permissions > Add AmazonRDSDataFullAccess and AmazonRDSReadOnlyAccess > Next
  3. Name, review, create > Create role
  4. Copy ARN

3. Define the ARN as env var

  1. Go to https://vercel.com/[TEAM_SLUG]/[PROJECT]/settings/environment-variables
  2. Add AWS_ROLE_ARN=...
  3. Run vercel env pull
vercel env pull
Vercel CLI 37.4.1
> Downloading `development` Environment Variables for [project]
✅  Created .env.local file  [227ms]

Query an AWS RDS instance

  1. Copy/paste file for /api/aws-rds.ts
  2. Realize we need a bunch new env vars, and that RDS_CA_PEM is an unused const in the example.
  3. Go to https://vercel.com/[TEAM_SLUG]/[PROJECT]/settings/environment-variables and create missing env vars from verified database connection string (in my case from DataGrip)
  4. vercel env pull
  5. pnpm dev
  6. Access http://localhost:3000/aws-rds → error in logs (working path redacted)
> next dev

  ▲ Next.js 14.2.9
  - Local:        http://localhost:3000
  - Environments: .env.local

 ✓ Starting...
 ✓ Ready in 1046ms
 ○ Compiling /aws-rds ...
 ✓ Compiled /aws-rds in 536ms (650 modules)
 ⨯ Error: connect ENETUNREACH 172.16.2.90:5432
    at /node_modules/.pnpm/pg-pool@3.6.2_pg@8.12.0/node_modules/pg-pool/index.js:45:11
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async GET (webpack-internal:///(rsc)/./app/aws-rds/route.ts:40:20)
    at async /node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/compiled/next-server/app-route.runtime.dev.js:6:55753
    at async eO.execute (/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/compiled/next-server/app-route.runtime.dev.js:6:46523)
    at async eO.handle (/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/compiled/next-server/app-route.runtime.dev.js:6:57007)
    at async doRender (/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/server/base-server.js:1359:42)
    at async cacheEntry.responseCache.get.routeKind (/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/server/base-server.js:1581:28)
    at async DevServer.renderToResponseWithComponentsImpl (/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/server/base-server.js:1489:28)
    at async DevServer.renderPageComponent (/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/server/base-server.js:1913:24)
    at async DevServer.renderToResponseImpl (/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/server/base-server.js:1951:32)
    at async DevServer.pipeImpl (/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/server/base-server.js:917:25)
    at async NextNodeServer.handleCatchallRenderRequest (/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/server/next-server.js:272:17)
    at async DevServer.handleRequestImpl (/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/server/base-server.js:813:17)
    at async /node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/server/dev/next-dev-server.js:339:20
    at async Span.traceAsyncFn (/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/trace/trace.js:154:20)
    at async DevServer.handleRequest (/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/server/dev/next-dev-server.js:336:24)
    at async invokeRender (/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/server/lib/router-server.js:173:21)
    at async handleRequest (/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/server/lib/router-server.js:350:24)
    at async requestHandlerImpl (/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/server/lib/router-server.js:374:13)
    at async Server.requestListener (/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/server/lib/start-server.js:141:13) {
  errno: -51,
  code: 'ENETUNREACH',
  syscall: 'connect',
  address: '172.16.2.90',
  port: 5432
}
 GET /aws-rds 500 in 11718ms
  1. Try and see if it works on Vercel → vercel → Build logs below
[14:58:44.856] Running build in Washington, D.C., USA (East) – iad1
[14:58:44.964] Retrieving list of deployment files...
[14:58:45.414] Downloading 17 deployment files...
[14:58:45.564] Previous build caches not available
[14:58:45.997] Running "vercel build"
[14:58:46.408] Vercel CLI 37.4.1
[14:58:46.807] Detected `pnpm-lock.yaml` version 6 generated by pnpm@8.x
[14:58:46.822] Installing dependencies...
[14:58:47.407] Lockfile is up to date, resolution step is skipped
[14:58:47.464] Progress: resolved 1, reused 0, downloaded 0, added 0
[14:58:47.601] Packages: +460
[14:58:47.602] ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[14:58:48.469] Progress: resolved 460, reused 0, downloaded 88, added 79
[14:58:49.469] Progress: resolved 460, reused 0, downloaded 171, added 158
[14:58:50.471] Progress: resolved 460, reused 0, downloaded 273, added 259
[14:58:51.471] Progress: resolved 460, reused 0, downloaded 415, added 408
[14:58:52.472] Progress: resolved 460, reused 0, downloaded 459, added 459
[14:58:53.473] Progress: resolved 460, reused 0, downloaded 460, added 459
[14:58:53.869] Progress: resolved 460, reused 0, downloaded 460, added 460, done
[14:58:54.128] 
[14:58:54.128] dependencies:
[14:58:54.128] + @aws-sdk/rds-signer 3.645.0
[14:58:54.128] + @vercel/functions 1.4.1
[14:58:54.128] + next 14.2.9
[14:58:54.128] + pg 8.12.0
[14:58:54.128] + react 18.3.1
[14:58:54.128] + react-dom 18.3.1
[14:58:54.128] 
[14:58:54.128] devDependencies:
[14:58:54.128] + @types/node 20.16.5
[14:58:54.128] + @types/pg 8.11.8
[14:58:54.128] + @types/react 18.3.5
[14:58:54.128] + @types/react-dom 18.3.0
[14:58:54.129] + eslint 8.57.0
[14:58:54.129] + eslint-config-next 14.2.9
[14:58:54.129] + postcss 8.4.45
[14:58:54.129] + tailwindcss 3.4.10
[14:58:54.129] + typescript 5.6.2
[14:58:54.129] 
[14:58:54.143] Done in 7.2s
[14:58:54.203] Detected Next.js version: 14.2.9
[14:58:54.213] Running "pnpm run build"
[14:58:54.726] 
[14:58:54.726] > oidc-rds@0.1.0 build /vercel/path0
[14:58:54.726] > next build
[14:58:54.726] 
[14:58:55.421] Attention: Next.js now collects completely anonymous telemetry regarding usage.
[14:58:55.421] This information is used to shape Next.js' roadmap and prioritize features.
[14:58:55.421] You can learn more, including how to opt-out if you'd not like to participate in this anonymous program, by visiting the following URL:
[14:58:55.421] https://nextjs.org/telemetry
[14:58:55.421] 
[14:58:55.488]   ▲ Next.js 14.2.9
[14:58:55.489] 
[14:58:55.566]    Creating an optimized production build ...
[14:59:14.340]  ✓ Compiled successfully
[14:59:14.341]    Linting and checking validity of types ...
[14:59:17.469]    Collecting page data ...
[14:59:18.743]    Generating static pages (0/6) ...
[14:59:18.910]    Generating static pages (1/6) 
[14:59:18.910]    Generating static pages (2/6) 
[14:59:19.052]    Generating static pages (4/6) 
[15:00:19.066]  ⚠ Sending SIGTERM signal to static worker due to timeout of 60 seconds. Subsequent errors may be a result of the worker exiting.
[15:00:19.571]  ⨯ Static worker exited with code: null and signal: SIGTERM
[15:00:19.571]  ⚠ Restarted static page generation for /aws-rds because it took more than 60 seconds
[15:00:19.571]  ⚠ See more info here https://nextjs.org/docs/messages/static-page-generation-timeout
[15:01:19.633]  ⚠ Sending SIGTERM signal to static worker due to timeout of 60 seconds. Subsequent errors may be a result of the worker exiting.
[15:01:20.138]  ⨯ Static worker exited with code: null and signal: SIGTERM
[15:01:20.138]  ⚠ Restarted static page generation for /aws-rds because it took more than 60 seconds
[15:02:20.163]  ⚠ Sending SIGTERM signal to static worker due to timeout of 60 seconds. Subsequent errors may be a result of the worker exiting.
[15:02:20.668]  ⨯ Static worker exited with code: null and signal: SIGTERM
[15:02:20.670] 
[15:02:20.670] > Build error occurred
[15:02:20.672] Error: Static page generation for /aws-rds is still timing out after 3 attempts. See more info here https://nextjs.org/docs/messages/static-page-generation-timeout
[15:02:20.672]     at onRestart (/vercel/path0/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/build/index.js:279:27)
[15:02:20.672]     at /vercel/path0/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/lib/worker.js:95:40
[15:02:20.672]     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
[15:02:20.672]     at async /vercel/path0/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/export/index.js:450:20
[15:02:20.672]     at async Span.traceAsyncFn (/vercel/path0/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/trace/trace.js:154:20)
[15:02:20.672]     at async /vercel/path0/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/export/index.js:448:24
[15:02:20.672]     at async Promise.all (index 5)
[15:02:20.672]     at async exportAppImpl (/vercel/path0/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/export/index.js:440:21)
[15:02:20.672]     at async /vercel/path0/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/export/index.js:623:16
[15:02:20.672]     at async Span.traceAsyncFn (/vercel/path0/node_modules/.pnpm/next@14.2.9_react-dom@18.3.1_react@18.3.1/node_modules/next/dist/trace/trace.js:154:20)
[15:02:20.689]  ELIFECYCLE  Command failed with exit code 1.
[15:02:20.708] Error: Command "pnpm run build" exited with 1
[15:02:21.033] 

Hi @holgerthorup, thanks for reaching out on Vercel Community.

It appears that your RDS instance isn’t publicly accessible given the IP address you’re trying to connect to is 172.16.2.90. The whole 172.16.0.0/12 range is private according to RFC 1918.

In order to connect to it from localhost, you will need to make your RDS instance public. See Working with a DB instance in a VPC - Amazon Relational Database Service.

The same is also the case in Vercel build environments and functions, however it is possible to keep your RDS instance private using Secure Compute and VPC peering.

2 Likes

Thanks! I was under the impression that OIDC would allow us to avoid having to make our database publicly available :face_with_diagonal_mouth: My misunderstanding!

But I guess that solves it then. Is it still the case that Secure Compute and VPC peering is only accessible on your enterprise plans?

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.