I recently updated to Spring Boot 3.5.3 (from 3.4.5) which upgraded from HikariCP 5.1.0 to 6.3.0. I'm using Spring Data JPA with AWS RDS Postgres and Liquibase. After the upgrade, it is no longer able to retrieve a password (IAM token). Relevant code and stack trace are below. Note that overriding the HikariCP version to 5.1.0 fixes the issue.
@Configuration
public class PostgresConfig {
@Bean
public RdsUtilities rdsUtilities(ApplicationProperties applicationProperties) {
Region region = Region.of(applicationProperties.getRds().getRegion());
RdsClient rdsClient = RdsClient.builder().region(region).build();
return rdsClient.utilities();
}
@Bean
public StsClient stsClient(ApplicationProperties applicationProperties) {
Region region = Region.of(applicationProperties.getSts().getRegion());
return StsClient.builder().region(region).build();
}
@Bean
@Primary
@LiquibaseDataSource
public DataSource dataSource(ApplicationProperties applicationProperties, DataSourceProperties dataSourceProperties, RdsUtilities rdsUtil, StsClient stsClient) {
HikariDataSource ds = new RdsDataSource(applicationProperties.getRds(), rdsUtil, stsClient);
ds.setJdbcUrl(dataSourceProperties.getUrl());
ds.setUsername(dataSourceProperties.getUsername());
//ds.setPassword(ds.getPassword()); // setting password here allows it to initially connect but after the token expires, new connections can't be created
ds.setDriverClassName(dataSourceProperties.getDriverClassName());
ds.setMaxLifetime(applicationProperties.getPostgresConnectionLifetimeMs());
ds.setSchema(applicationProperties.getAuditSchema());
return ds;
}
}
public class RdsDataSource extends HikariDataSource {
private final ApplicationProperties.RdsConfig config;
private final RdsUtilities rdsUtil;
private final StsClient stsClient;
public RdsDataSource(ApplicationProperties.RdsConfig config, RdsUtilities rdsUtil, StsClient stsClient) {
super();
this.config = config;
this.rdsUtil = rdsUtil;
this.stsClient = stsClient;
}
//From: https://joelforjava.com/blog/2019/11/27/using-assume-role-with-aws-sdk.html
/**
* Get password for database by generating a token from AWS.
*
* ex: https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/javav2/example_code/rds/src/main/java/com/example/rds/GenerateRDSAuthToken.java
*
* @return A token to be used as DB password.
*/
@Override
public String getPassword() {
AwsCredentialsProviderChain roleProviderChain = assumeRole();
String jdbcUrl = getJdbcUrl();
try {
URI jdbcUri = parseJdbcURL(jdbcUrl);
GenerateAuthenticationTokenRequest request = GenerateAuthenticationTokenRequest.builder()
.credentialsProvider(roleProviderChain)
.username(getUsername())
.hostname(jdbcUri.getHost())
.port(jdbcUri.getPort())
.build();
String token = rdsUtil.generateAuthenticationToken(request);
return token;
} catch (Exception e) {
log.error("Failed to generate RDS auth token {} for session {} at url {}", config.getRoleArn(), config.getSessionName(), jdbcUrl, e);
throw new RdsAuthTokenException(e, config.getRoleArn(), config.getSessionName(), jdbcUrl);
}
}
/**
* "Assume" the AWS RDS role. This has to be done to generate a token.
* The roles time out after some point. It should be 1 hour. Longer than the token lasts (usually 15 minutes).
* So we could keep the session alive between token refreshes., but it's easier to refresh the session at the same time.
* @return Cred provider chain needed to generate a token.
*/
private AwsCredentialsProviderChain assumeRole() {
try {
AssumeRoleRequest assumeRoleRequest = AssumeRoleRequest.builder()
.roleArn(config.getRoleArn())
.roleSessionName(config.getSessionName())
.build();
AssumeRoleResponse assumeRoleResponse = stsClient.assumeRole(assumeRoleRequest);
Credentials creds = assumeRoleResponse.credentials();
AwsSessionCredentials sessionCredentials = AwsSessionCredentials.create(creds.accessKeyId(), creds.secretAccessKey(), creds.sessionToken());
return AwsCredentialsProviderChain.builder()
.credentialsProviders(StaticCredentialsProvider.create(sessionCredentials))
.build();
} catch (SdkException e) {
log.error("Unable to assume role {} for session {}", config.getRoleArn(), config.getSessionName(), e);
throw new AssumeRoleException(e, config.getRoleArn(), config.getSessionName());
}
}
private URI parseJdbcURL(String jdbcUrl) {
String uri = jdbcUrl.substring(5);
return URI.create(uri);
}
}
"Error creating bean with name 'entityManagerFactory' defined in class path resource [org/springframework/boot/autoconfigure/orm/jpa/HibernateJpaConfiguration.class]: Failed to initialize dependency 'liquibase' of LoadTimeWeaverAware bean 'entityManagerFactory': Error creating bean with name 'liquibase' defined in class path resource [org/springframework/boot/autoconfigure/liquibase/LiquibaseAutoConfiguration$LiquibaseConfiguration.class]: liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: The server requested password-based authentication, but no password was provided by plugin null","exception.stacktrace":"org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'entityManagerFactory' defined in class path resource [org/springframework/boot/autoconfigure/orm/jpa/HibernateJpaConfiguration.class]: Failed to initialize dependency 'liquibase' of LoadTimeWeaverAware bean 'entityManagerFactory': Error creating bean with name 'liquibase' defined in class path resource [org/springframework/boot/autoconfigure/liquibase/LiquibaseAutoConfiguration$LiquibaseConfiguration.class]: liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: The server requested password-based authentication, but no password was provided by plugin null at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:328) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:207) at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:970) at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627) at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146) at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:752) at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:439) at org.springframework.boot.SpringApplication.run(SpringApplication.java:318) at org.springframework.boot.SpringApplication.run(SpringApplication.java:1361) at org.springframework.boot.SpringApplication.run(SpringApplication.java:1350) at com.myapp.Application.main(Application.java:14) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:569) at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:102) at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:64) at org.springframework.boot.loader.launch.JarLauncher.main(JarLauncher.java:40) Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'liquibase' defined in class path resource [org/springframework/boot/autoconfigure/liquibase/LiquibaseAutoConfiguration$LiquibaseConfiguration.class]: liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: The server requested password-based authentication, but no password was provided by plugin null at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1826) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:607) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529) at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339) at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:315) ... 17 common frames omitted Caused by: liquibase.exception.LiquibaseException: liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: The server requested password-based authentication, but no password was provided by plugin null at liquibase.integration.spring.SpringLiquibase.afterPropertiesSet(SpringLiquibase.java:288) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1873) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1822) ... 24 common frames omitted Caused by: liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: The server requested password-based authentication, but no password was provided by plugin null at liquibase.integration.spring.SpringLiquibase.lambda$afterPropertiesSet$0(SpringLiquibase.java:280) at liquibase.Scope.lambda$child$0(Scope.java:201) at liquibase.Scope.child(Scope.java:210) at liquibase.Scope.child(Scope.java:200) at liquibase.Scope.child(Scope.java:179) at liquibase.integration.spring.SpringLiquibase.afterPropertiesSet(SpringLiquibase.java:271) ... 26 common frames omitted Caused by: org.postgresql.util.PSQLException: The server requested password-based authentication, but no password was provided by plugin null at org.postgresql.core.v3.AuthenticationPluginManager.lambda$withEncodedPassword$0(AuthenticationPluginManager.java:113) at org.postgresql.core.v3.AuthenticationPluginManager.withPassword(AuthenticationPluginManager.java:82) at org.postgresql.core.v3.AuthenticationPluginManager.withEncodedPassword(AuthenticationPluginManager.java:110) at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:839) at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:234) at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:289) at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:57) at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:277) at org.postgresql.Driver.makeConnection(Driver.java:448) at org.postgresql.Driver.connect(Driver.java:298) at com.zaxxer.hikari.util.DriverDataSource.getConnection(DriverDataSource.java:139) at com.zaxxer.hikari.pool.PoolBase.newConnection(PoolBase.java:367) at com.zaxxer.hikari.pool.PoolBase.newPoolEntry(PoolBase.java:205) at com.zaxxer.hikari.pool.HikariPool.createPoolEntry(HikariPool.java:484) at com.zaxxer.hikari.pool.HikariPool.checkFailFast(HikariPool.java:572) at com.zaxxer.hikari.pool.HikariPool.<init>(HikariPool.java:101) at com.zaxxer.hikari.HikariDataSource.getConnection(HikariDataSource.java:111) at liquibase.integration.spring.SpringLiquibase.lambda$afterPropertiesSet$0(SpringLiquibase.java:275) ... 31 common frames omitted"
Comment From: philwebb
I suspect this is due to https://github.com/brettwooldridge/HikariCP/commit/d43c272f3fc1de89bc4e650d8b936176d7159c12 and out of Spring Boot's control.
I would suggest changing your RdsDataSource class to also override getCredentials() to:
public Credentials getCredentials() {
return Credentials.of(getUsername(), getPassword());
}