Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Why do I get an "Access Denied" error when I use IAM authentication to connect to Amazon RDS for MySQL?

4 minute read
0

When I connect to my Amazon Relational Database Service (Amazon RDS) for MySQL instance through AWS Identity Access Management (IAM) authentication, I get an “Access Denied” error.

Short description

Error messages can occur for insufficient IAM role permissions, turned off IAM authentication, misconfigurations of the database user, or an error in the connection string. You might get an error message that looks similar to the following:

"ERROR 1045 (28000): Access denied for user 'root'@'10.0.4.253' (using password: YES)"

Use the AWSSupport-TroubleshootRDSIAMAuthentication runbook to automatically verify the configuration required for IAM authentication with an Amazon RDS instance. Then, use the resolutions to resolve this error.

Resolution

Insufficient IAM role permissions

To use IAM database authentication to connect to your Amazon RDS for MySQL instance, you must have access to the rds-db:connect action. For more information, see Creating and using an IAM policy for IAM database access.

Be sure that you use the correct resource ID and not just specify an Amazon Resource Name (ARN). To find the resource ID for your DB instance, complete the following steps:

  1. Open the Aurora and RDS console.
  2. In the navigation pane, choose Databases.
  3. Then, choose the Configurations tab.
    Note: Resource ID is in the Configuration section. For more information, see Creating and using an IAM policy for IAM database access.

If you use an SCP policy, then make sure your policy allows connections to your DB instance. For more information, see Creating, updating, and deleting service control policies.

Turn on IAM authentication

By default, IAM authentication is turned off for database instances. Review the configuration settings for your Amazon RDS for MySQL instance or Aurora DB cluster, and make sure that IAM authentication is turned on.

Note: If you choose Apply Immediately, then all pending changes will take effect immediately, rather than during a maintenance window. This action can interrupt your Amazon RDS for MySQL instance for an extended period of time. For more information, see [Using the Apply Immediately setting](http://Using the schedule modifications setting).

Misconfigured database user

The AWSAuthenticationPlugin plugin authenticates users in Amazon RDS for MySQL. To connect to your Amazon RDS for MySQL instance through IAM authentication, use AWSAuthenticationPlugin.

To confirm that this plugin is associated with your IAM role, run the following command:

select user,plugin,host from mysql.user where user like '%db-user-name%';

Note: Replace db-user-name with your database username.

Example output:

+------+-------------------------+------+  
| user | plugin | host |  
+------+-------------------------+------+  
| root | AWSAuthenticationPlugin | % |  
+------+-------------------------+------+  
1 row in set (0.00 sec)

If the IAM role uses a specific host, then you must use that hostname. Also, make sure that you have the correct permissions to access the specified database.

To view the permissions granted to a user, use the following command:

show grants for <user>;

Note: Replace user with the user name.

To grant privileges to other users, use the following command:

grant select on <mydb>.<mytable> to <user>;

Note: Replace mydb with your database instance name, mytable with your table name, and user with your username.

For more information, see GRANT statement on the MySQL website.

Incorrect connection string

To connect to the Amazon RDS for MySQL database, use the --enable-cleartext-plugin parameter in your connection string. The --enable-cleartext-plugin parameter acts as an authentication token. Therefore, you must use AWSAuthenticationPlugin when you connect to the database and configure the database user. If you don't configure the AWSAuthenticationPlugin correctly, then you will receive an Access Denied error when you connect to your database through IAM authentication.

Use the following example connection string:

mysql -h <endpoint> -P 3306 --enable-cleartext-plugin --user=RDSConnect --password=$

Note: Replace endpoint with the host name of the DB instance you want to access.

If you use the MariaDB client, the --enable-cleartext-plugin parameter isn't required. Instead, store the token in an environment variable first. Then use environment variables when you connect to your MySQL DB instance.

See the following example:

RDSHOST="rdsmysql.123456789012.us-west-2.rds.amazonaws.com"TOKEN="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 3306 --region us-west-2 --username db-user-name)"  
mysql --host=$RDSHOST --port=3306 --enable-cleartext-plugin --user=db-user-name --password=$TOKEN

For more information about how to use an environment variable to connect to a MySQL DB instance, see Connecting to a DB instance.

Related information

How do I allow users to authenticate to an Amazon RDS for MySQL DB instance using their IAM credentials?

IAM database authentication

IAM database authentication for MariaDB, MySQL, and PostgreSQL

Topics
AnalyticsMigration & ModernizationDatabase
Tags
MySQLAmazon Relational Database ServiceMariaDB
Language
English

Related videos

Watch Kyathi's video to learn more (3:53)
Watch Kyathi's video to learn more (3:53)
AWS OFFICIALUpdated 8 months ago
No comments

Relevant content