Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Access Denied error when using Lambda IAM role to access Amazon RDS for MySQL

0

I'm currently using credentials with AWS Secrets Manager for connectivity from Amazon EC2/ECS/Lambda to AWS services such as Amazon RDS. I would like to change that to using IAM roles, so that it can be centrally managed. I've been successful in getting an AWS IAM role attached to an EC2 instance and used tokens to connect the IAM role to the Amazon RDS for MySQL DB instance. (https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/)

When I follow a similar approach following instructions using https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.Java.html in a Lambda function, I'm able to generate the IAM access token. But when tried to connect to Amazon RDS, I get an Access denied error for user 'user'@database ip'. In my console, when I review the AWS Lambda function's resource summary, I see that AWS Lambda has the correct RDS IAM authorization policy configured for the required resource.

I would expect the Lambda execution role(RDSFullAccess and RDS IAM Auth policies) to be sufficient for this connection to RDS. Am I missing anything?

Argomenti
ServerlessComputazionaliMigrazione e modernizzazioneAnalisiDatabase
Tag
AWS LambdaAmazon Relational Database Service
Lingua
English
AWS
Abhi
posta 4 anni fa985 visualizzazioni
1 Risposta
0
Risposta accettata

The instructions you followed for connecting to your DB instance using IAM authentication do not apply to AWS Lambda. The example code from this documentation sets the BasicAWSCredentials awsCredentials and obtains the Amazon RDS authorization token. This approach does not work if you have a Lambda function where you need to assume the IAM role.

Instead, try passing a new DefaultAWSCredentialsProviderChain and let AWS Lambda runtime pick up the correct AWS credentials. For example:

RdsIamAuthTokenGenerator generator = RdsIamAuthTokenGenerator.builder()
        		    .credentials(new DefaultAWSCredentialsProviderChain())
        		    .region(REGION_NAME)
        		    .build();
AWS
Abhi
con risposta 4 anni fa
profile picture
ESPERTO
Giovanni Lauria
verificato un mese fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente