Authentication error while connecting to MySQL RDS using IAM Authentication with VPN

Question

We have a MySQL RDS in a private subnet which is setup to use IAM authentication. Everything works as expected. 
Once we attach a policy to the users that restricts access to AWS resources from a specific IP which is the VPN instance public IP. Authentication does not work. We are able to generate token from CLI, it works without the VPN only policy attached but the token does not work once the VPN only policy is applied. VPN is setup to route all requests to *.amazonaws.com through the VPN instance.

Answer

Usually when you connect through VPN. You get private IP assigned from a pool in VPN.

Then there are two scenarios.

1- Traffic gets NAT to Private ENI IP of VPN instance
or
2- Traffic dont get NAT but pass actual IPassigned to users through NAT pool of VPN instance.

I would suggest to try adding both Private ENI IP of Nat instance and User pool of VPN in your IAM policy to test again.

Otherwise VPC Flow logs of MySQL RDS can also show what IP is source IP when it hits MySQL and build policy with that

Authentication error while connecting to MySQL RDS using IAM Authentication with VPN

相關內容