Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

Why do I get an Access Denied error when I try to connect to my Aurora MySQL-Compatible DB cluster?

4 minute read

I want to connect to my Amazon Aurora MySQL-Compatible Edition DB cluster, but I get an "Access denied" error.

Short description

To connect to an Aurora MySQL-Compatible DB cluster, use one of the following options:

MySQL username and password authentication. For more information, see Access control and account management on the MySQL website.
AWS Identity and Access Management (IAM) database authentication.

The "Access denied" error usually occurs when you enter an incorrect username or password. For more information, see Access denied on the MySQL website.

Resolution

Check that the Aurora DB instance accepts connections

Confirm that your DB instance is in the AVAILABLE state. For more information, see Viewing Amazon RDS DB instance status and Viewing DB instance status in an Aurora cluster. Also, see How do I resolve problems when connecting to my Amazon RDS DB instance?

Troubleshoot connections that use DB credentials

Incorrect password

Make sure that you enter the correct password when you connect to the database. Don't use special characters in the password. For more information, see How do I reset the admin user password for my Amazon RDS DB instance?

Incorrect username

Make sure that you enter the correct username when you connect to the database.

To check whether the user exists, run the following query:

mysql> SELECT user FROM mysql.user WHERE User='username';

If the user doesn't exist, then run the following queries to create a new user:

mysql> CREATE USER 'username'@'%' IDENTIFIED BY 'new-password-here';
mysql> FLUSH        PRIVILEGES;

For more information, see Master user account privileges.

User exists but client host doesn't have permission to connect

To check which host user or host MySQL allows connections from, run the following query:

mysql> SELECT host, user FROM mysql.user WHERE User='username';

To create a user with the correct host client IP address or the wildcard symbol (%) to match any IP address, run the following query:

mysql> CREATE USER 'dbuser'@'%' IDENTIFIED BY 'new-password-here';

SSL is required but the client doesn't use SSL

To check whether a user enforced SSL, run the following query on your DB instance:

mysql> SELECT * FROM mysql.user WHERE ssl_type <> '';

If SSL is enforced, then you must use SSL to connect. For more information, see Using SSL/TLS to encrypt a connection to a DB cluster.

Duplicate users

To check whether there are users that have the same username, run the following query:

mysql> SELECT host, user FROM mysql.user WHERE User='username';

To resolve duplicate users, log in with a user that has permissions to DROP other users. After you drop the secondary user, the first user can connect.

For more information, see How do I create another admin user for my Amazon RDS DB instance that is running MySQL?

Bash converts special characters in the password

Wrap your password in single quotes so that Bash can't convert special characters in the password.

A connection packet doesn't contain the right information

The connection packet takes more than the connect_timeout seconds to obtain a connect packet. For more information, see connect_timeout on the MySQL website. You can adjust the value of this DB parameter to fit your queries and workload.

The max_allowed_packet variable value is too small or queries require more memory than you allocated for the DB instance

By default, the max_allowed_packet value is 64 MB. For more information, see max_allowed_packet on the MySQL website.

If you use large BLOB columns or long strings, then increase the value of max_allowed_packet. For more information, see Best practices for configuring parameters for Amazon RDS for MySQL, part 3: Parameters related to security, operational manageability, and connectivity timeout.