I want to connect to my Amazon Aurora MySQL-Compatible Edition DB cluster, but I get an "Access denied" error.
Short description
To connect to an Aurora MySQL-Compatible DB cluster, use one of the following options:
The "Access denied" error usually occurs when you enter an incorrect username or password. For more information, see Access denied on the MySQL website.
Resolution
Check that the Aurora DB instance accepts connections
Confirm that your DB instance is in the AVAILABLE state. For more information, see Viewing Amazon RDS DB instance status and Viewing DB instance status in an Aurora cluster. Also, see How do I resolve problems when connecting to my Amazon RDS DB instance?
Troubleshoot connections that use DB credentials
Incorrect password
Make sure that you enter the correct password when you connect to the database. Don't use special characters in the password. For more information, see How do I reset the admin user password for my Amazon RDS DB instance?
Incorrect username
Make sure that you enter the correct username when you connect to the database.
To check whether the user exists, run the following query:
mysql> SELECT user FROM mysql.user WHERE User='username';
If the user doesn't exist, then run the following queries to create a new user:
mysql> CREATE USER 'username'@'%' IDENTIFIED BY 'new-password-here';
mysql> FLUSH PRIVILEGES;
For more information, see Master user account privileges.
User exists but client host doesn't have permission to connect
To check which host user or host MySQL allows connections from, run the following query:
mysql> SELECT host, user FROM mysql.user WHERE User='username';
To create a user with the correct host client IP address or the wildcard symbol (%) to match any IP address, run the following query:
mysql> CREATE USER 'dbuser'@'%' IDENTIFIED BY 'new-password-here';
SSL is required but the client doesn't use SSL
To check whether a user enforced SSL, run the following query on your DB instance:
mysql> SELECT * FROM mysql.user WHERE ssl_type <> '';
If SSL is enforced, then you must use SSL to connect. For more information, see Using SSL/TLS to encrypt a connection to a DB cluster.
Duplicate users
To check whether there are users that have the same username, run the following query:
mysql> SELECT host, user FROM mysql.user WHERE User='username';
To resolve duplicate users, log in with a user that has permissions to DROP other users. After you drop the secondary user, the first user can connect.
For more information, see How do I create another admin user for my Amazon RDS DB instance that is running MySQL?
Bash converts special characters in the password
Wrap your password in single quotes so that Bash can't convert special characters in the password.
A connection packet doesn't contain the right information
The connection packet takes more than the connect_timeout seconds to obtain a connect packet. For more information, see connect_timeout on the MySQL website. You can adjust the value of this DB parameter to fit your queries and workload.
The max_allowed_packet variable value is too small or queries require more memory than you allocated for the DB instance
By default, the max_allowed_packet value is 64 MB. For more information, see max_allowed_packet on the MySQL website.
If you use large BLOB columns or long strings, then increase the value of max_allowed_packet. For more information, see Best practices for configuring parameters for Amazon RDS for MySQL, part 3: Parameters related to security, operational manageability, and connectivity timeout.
Troubleshoot connections that use IAM authentication
To connect, see How do I allow users to authenticate to an Amazon RDS for MySQL DB instance through their Amazon IAM credentials?
If you can't connect, then see Why am I getting an Access Denied error when I try to connect to Amazon RDS for MySQL using IAM authentication?
Troubleshoot connections that use Amazon RDS Proxy
To connect to your DB cluster, see How do I use Amazon RDS Proxy to connect to my Amazon RDS for MySQL DB instance or Aurora MySQL-Compatible DB cluster?
If you can't connect to your DB cluster, then see Why can't I connect to my Amazon RDS DB or Amazon Aurora DB instance using RDS Proxy?
Related information
Connecting to an Amazon Aurora MySQL DB cluster
IAM database authentication for MariaDB, MySQL, and PostgreSQL
Parameter groups for Amazon RDS
How can I troubleshoot connectivity to an Amazon RDS DB instance that uses a public or private subnet of a VPC?