Troubleshooting issues in Aurora DSQL - Amazon Aurora DSQL
Connection errorsAuthentication errorsAuthorization errorsSQL errorsOCC errorsSSL/TLS connections

Troubleshooting issues in Aurora DSQL

Note

The following topics provide troubleshooting advice for errors and issues that you might encounter when using Aurora DSQL. If you find an issue that is not listed here, reach out to AWS support

Troubleshooting connection errors

error: unrecognized SSL error code: 6

Cause: You might be using a psql version earlier than version 14, which doesn't support Server Name Indication (SNI). The SNI is required when connecting to Aurora DSQL.

You can check your client version with psql --version.

error: NetworkUnreachable

A NetworkUnreachable error during connection attempts might indicate that your client doesn't support IPv6 connections, rather than signaling an actual network problem. This error commonly occurs on IPv4-only instances because of how PostgreSQL clients handle dual-stack connections. When a server supports dual-stack mode, these clients first resolve hostnames to both IPv4 and IPv6 addresses. They attempt an IPv4 connection first, then try IPv6 if the initial connection fails. If your system doesn't support IPv6, you'll see a general NetworkUnreachable error instead of a clear "IPv6 not supported" message.

Troubleshooting authentication errors

IAM authentication failed for user "..."

When you generate an Aurora DSQL IAM authentication token, the maximum duration you can set is 1 week. After one week, you can't authenticate with that token.

Additionally, Aurora DSQL rejects your connection request if your assumed role has expired. For example, if you try to connect with a temporary IAM role even if your authentication token hasn't expired, Aurora DSQL will reject the connection request.

To learn more about how IAM works with Aurora DSQL, see Understanding authentication and authorization for Aurora DSQL and AWS Identity and Access Management in Aurora DSQL.

An error occurred (InvalidAccessKeyId) when calling the GetObject operation: The AWS Access Key ID you provided does not exist in our records

IAM rejected your request. For more information, see Why requests are signed.

IAM role <role> does not exist

Aurora DSQL couldn't find your IAM role. For more information, see IAM roles.

IAM role must look like an IAM ARN

See IAM Identifiers - IAM ARNs for more information.

Troubleshooting authorization errors

Role <role> not supported

Aurora DSQL doesn't support the GRANT operation. See Supported subsets of PostgreSQL commands in Aurora DSQL.

Cannot establish trust with role <role>

Aurora DSQL doesn't support the GRANT operation. See Supported subsets of PostgreSQL commands in Aurora DSQL.

Role <role> does not exist

Aurora DSQL couldn't find specified database user. See Authorize custom database roles to connect to a cluster.

ERROR: permission denied to grant IAM trust with role <role>

To grant access to a database role, you must be connected to your cluster with the admin role. To learn more, see Authorize database roles to use SQL in a database.

ERROR: role <role> must have the LOGIN attribute

Any database roles you create must have the LOGIN permission.

To address this error, make sure that you’ve created the PostgreSQL Role with the LOGIN permission. For more information, see CREATE ROLE and ALTER ROLE in the PostgreSQL documentation.

ERROR: role <role> cannot be dropped because some objects depend on it

Aurora DSQL returns an error if you drop a database role with an IAM relationship until you revoke the relationship using AWS IAM REVOKE. To learn more, see Revoking authorization.

Troubleshooting SQL errors

Error: Not supported

Aurora DSQL doesn't support all PostgreSQL-based dialect. To learn about what is supported, see Supported PostgreSQL features in Aurora DSQL .

Error: SELECT FOR UPDATE in a read-only transaction is a no-op

You are attempting an operation that isn't allowed in a read-only transaction. To learn more, see Understanding concurrency control in Aurora DSQL.

Error: use CREATE INDEX ASYNC instead

To create an index on a table with existing rows, you must use the CREATE INDEX ASYNC command. To learn more, see Creating indexes asynchronously in Aurora DSQL.

Troubleshooting OCC errors

OC000 “ERROR: mutation conflicts with another transaction, retry as needed”

OC001 “ERROR: schema has been updated by another transaction, retry as needed”

Your PostgreSQL session had a cached copy of the schema catalog. That cached copy was valid at the time was loaded. Let’s call the time T1 and the version V1.

Another transaction updates the catalog at time T2. Let’s call this V2.

When the original session attempts to read from storage at time T2 it’s still using catalog version V1. Aurora DSQL’s storage layer rejects the request because the latest catalog version at T2 is V2.

When you retry at time T3 from the original session, Aurora DSQL refreshes the catalog cache. The transaction at T3 is using catalog V2. Aurora DSQL will finish the transaction as long as no other catalog changes came through since time T2.

Troubleshooting SSL/TLS connections

SSL error: certificate verify failed

This error indicates that the client cannot verify the server's certificate. Ensure that:

  1. The Amazon Root CA 1 certificate is properly installed. See Configuring SSL/TLS certificates for Aurora DSQL connections for instructions on how to validate and install this certificate.

  2. The PGSSLROOTCERT environment variable points to the correct certificate file.

  3. The certificate file has the correct permissions.

Unrecognized SSL error code: 6

This error occurs with PostgreSQL clients below version 14. Upgrade your PostgreSQL client to version 17 to resolve this issue.

SSL error: unregistered scheme (Windows)

This is a known issue with the Windows psql client when using system certificates. Use the downloaded certificate file method described in the Connecting from Windows instructions.