[BUG] postgresql IAM authentication doesn't after version 7.66.0

[richistron]

Agent Environment

>= 7.66.0

Describe what happened:
IAM authentication to Aurora RDS (PostgreSQL) stopped working

Describe what you expected:
We run the Datadog agent version 7, public.ecr.aws/datadog/agent:7. After 7.66, the authentication stopped working, forcing us to pin public.ecr.aws/datadog/agent:7.55.2

logs

heck:postgres | Error running check: [{"message":"connection to server at \"<host_redacted>\" (<ip_redacted>), port 5432 failed: FATAL: pg_hba.conf rejects connection for host \"<redacted>\", user \"<redacted_user>\", database \"postgres\", no encryption\nconnection to server at \"<host_redacted>\" (<ip_redacted>), port 5432 failed: fe_sendauth: no password supplied\n","traceback":"Traceback (most recent call last):\n File \"/opt/datadog-agent/embedded/lib/python3.12/site-packages/datadog_checks/base/checks/base.py\", line 1297, in run\n initialization()\n File \"/opt/datadog-agent/embedded/lib/python3.12/site-packages/datadog_checks/postgres/postgres.py\", line 929, in _connect\n with self.db() as conn:\n ^^^^^^^^^\n File \"/opt/datadog-agent/embedded/lib/python3.12/contextlib.py\", line 137, in __enter__\n return next(self.gen)\n ^^^^^^^^^^^^^^\n File \"/opt/datadog-agent/embedded/lib/python3.12/site-packages/datadog_checks/postgres/postgres.py\", line 247, in db\n self._db = self._new_connection(self._config.dbname)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/opt/datadog-agent/embedded/lib/python3.12/site-packages/datadog_checks/postgres/postgres.py\", line 914, in 

Steps to reproduce the issue:

• Enable IAM authentication using DatadogAgent version >= 7.66.0

Additional environment details (Operating System, Cloud provider, etc):
Platform: Fargate
Cloud: AWS
Task definition config:

{
  "taskDefinitionArn": "",
  "containerDefinitions": [
    {
      ...
    },
    {
      "name": "datadog-agent",
      "image": "public.ecr.aws/datadog/agent:7.66.0",
      "cpu": 256,
      "memory": 1024,
      "portMappings": [],
      "essential": true,
      "environment": [
        {
          "name": "DD_APM_NON_LOCAL_TRAFFIC",
          "value": "true"
        },
        {
          "name": "ECS_FARGATE",
          "value": "true"
        },
        {
          "name": "DD_APM_ENABLED",
          "value": "true"
        },
        {
          "name": "DD_DBM_PROPAGATION_MODE",
          "value": "service"
        }
      ],
      "secrets": [
        ...
      ],
      "startTimeout": 30,
      "dockerLabels": {
        "com.datadoghq.ad.instances": "[{\"aws\":{\"managed_authentication\":{\"enabled\":true},\"region\":\"us-west-2\"},\"collect_schemas\":{\"enabled\":true},\"collect_settings\":{\"enabled\":true},\"database_autodiscovery\":{\"enabled\":true},\"dbm\":true,\"host\":\"<redacted>\",\"port\":5432,\"relations\":[{\"relation_regex\":\".*\"}],\"tags\":[\"env:staging\",\"service:my-service\",\"team:<redacted>\"],\"username\":\"<redacted>\"}]",
        "com.datadoghq.ad.check_names": "[\"postgres\"]",
        "com.datadoghq.ad.init_configs": "[{\"service\":\"my-service\"}]"
      },
      "logConfiguration": {
      },
      "healthCheck": {
        "command": [
          "CMD-SHELL",
          "agent health"
        ],
        "interval": 30,
        "timeout": 10,
        "retries": 5,
        "startPeriod": 15
      },
      "systemControls": []
    }
  ],
  "placementConstraints": [],
  "compatibilities": [
    "EC2",
    "FARGATE"
  ],
  "requiresCompatibilities": [
    "FARGATE"
  ],
  "tags": [
  ]
}

[sethsamuel]

This is likely caused by the bug that was fixed here: DataDog/integrations-core#20774. The fix should be released in an upcoming agent version.

As a stopgap if you want to upgrade to 7.66 you can specify the instance_endpoint explicitly as in this example: https://docs.datadoghq.com/database_monitoring/guide/managed_authentication/?tab=rds#enable-iam-authentication-for-the-agent-host-in-the-same-aws-account-as-the-rds-instance