Amazon RDS auth tokens in .pgpass

I suspect there are some restrictions on the kind of data you can put in
.pgpass that are not documented sufficiently here:
https://www.postgresql.org/docs/12/libpq-pgpass.html

I am trying to connect to a Postgres database on Amazon RDS using IAM
authentication. This works by having IAM generate an authentication token
that you use as the password for the database user you're connecting as.
You can read more about this here:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.AWSCLI.PostgreSQL.html

Here's an example of what one of these auth tokens looks like (with some of
the sections redacted/altered from a real token):

```
some-host.us-east-1.rds.amazonaws.com:5432/?DBUser=someuser&Action=connect&X-Amz-SignedHeaders=host&X-Amz-Security-Token=FwoGZXIvYXdzEHcaDD1hC2q3GGNNaftOvCLRAetaDArXOt6kpr1Ac83hzwtPxEojvZzARJN%2Ftys%2BkLnxsP6FmHmIMmMERWeGBiJmNcUyXWYY%2BSU9oduSSeAv%2BCpYy028Cep%2Bpyl1Km3B5axPAA2q0L4NWa41LQOayWF8F7%2FlB540%2B0aSkZ%2BIucM%2BLZXTcQl3Q0nJiIgu65lhuME4q3Mvst1ZEaZWfUegCWGaX0npajiKbNU2Ut3FH%2F6046RxlNwO4jg4vteTcPk%2BfgMjuAkf5gFR9EYMTziRx1dJGJn8VGFLTugGVITQI%2FEC1iuqKNb%2Fs%2FoFMisfzgF1nd7kxcZYYAmQtugBnDuJuIboYwYAXI2qn7HDbhgQ5v%2FwPWfZieWO&X-Amz-Credential=ABCDEFGHIJKLMNOPQRST%2F20200831%2Fus-east-1%2Frds-db%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=900&X-Amz-Date=20200831T163708Z&X-Amz-Signature=fb41c59dcaf4e013eda6885a4d456549366d2612ecf06307d2443b6a44461ab7
```

That whole thing is the password for `someuser`.

Now, I know that .pgpass works for me because I can use it to connect to
another user that has a regular-looking password like `some-password-123`.
And I know that using these auth tokens with `someuser` also works because
psql successfully connects to that user if I provide the auth token via the
`PGPASSWORD` environment variable.

It's only the combination of a) .pgpass and b) RDS auth token that doesn't
work. This leads me to believe something is going wrong on a code path
specific to .pgpass, or that there are some undocumented restrictions on
what can go in .pgpass.

The docs do instruct:

> If an entry needs to contain : or \, escape this character with \.

So I tried escaping the one `:` character in the auth token with a
backslash, but that didn't help. Thinking that perhaps there are other
characters that might need escaping, I also tried escaping every character
in the auth token -- i.e. `\s\o\m\e\-\h\o\s\t\.\u\s...` -- but that didn't
work either. psql fails to connect with:

```
psql: error: could not connect to server: FATAL: PAM authentication failed
for user "someuser"
```

Are the docs on .pgpass missing something? Is there perhaps a bug in how
.pgpass is being parsed?

Nick