Access Denied error when using Lambda IAM role to access Amazon RDS for MySQL
I'm currently using credentials with AWS Secrets Manager for connectivity from Amazon EC2/ECS/Lambda to AWS services such as Amazon RDS. I would like to change that to using IAM roles, so that it can be centrally managed. I've been successful in getting an AWS IAM role attached to an EC2 instance and used tokens to connect the IAM role to the Amazon RDS for MySQL DB instance. (https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/)
When I follow a similar approach following instructions using https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.Java.html in a Lambda function, I'm able to generate the IAM access token. But when tried to connect to Amazon RDS, I get an Access denied error for user 'user'@database ip'. In my console, when I review the AWS Lambda function's resource summary, I see that AWS Lambda has the correct RDS IAM authorization policy configured for the required resource.
I would expect the Lambda execution role(RDSFullAccess and RDS IAM Auth policies) to be sufficient for this connection to RDS. Am I missing anything?
- 新しい順
- 投票が多い順
- コメントが多い順
The instructions you followed for connecting to your DB instance using IAM authentication do not apply to AWS Lambda. The example code from this documentation sets the BasicAWSCredentials awsCredentials and obtains the Amazon RDS authorization token. This approach does not work if you have a Lambda function where you need to assume the IAM role.
Instead, try passing a new DefaultAWSCredentialsProviderChain and let AWS Lambda runtime pick up the correct AWS credentials. For example:
RdsIamAuthTokenGenerator generator = RdsIamAuthTokenGenerator.builder()
.credentials(new DefaultAWSCredentialsProviderChain())
.region(REGION_NAME)
.build();
