Why do I get an Access Denied error when I try to connect to my Amazon Aurora DB cluster?

Short description

To authenticate to your Aurora MySQL-Compatible DB cluster, you can use one of these options:

• MySQL user name and password authentication
• AWS Identity and Access Management (IAM) database authentication

The "Access denied" error usually occurs because you have entered the incorrect user name or password. But, there are other causes for this error, including:

• The user name or password that you entered isn't valid.
• The connection is tried using the wrong host.
• The user doesn't exist.
• The user exists, but the client host doesn't have permission to connect.
• SSL is required, but the client isn't using it.
• Special characters in the password are being converted by Bash.
• IAM authentication is turned off.
• There are insufficient IAM role permissions when using IAM authentication.
• There's an incorrect connection string.
• Incorrect authentication credentials are used to connect to Amazon RDS Proxy. This applies when native user name/password mode is used.
• The AWS Identity and Access Management (IAM) user or role that's associated with the client isn't authorized to connect with Amazon RDS Proxy. This applies when IAM DB authentication is used.

For more information about this error, see the MySQL documentation for Access denied.

Resolution

Check that the DB instance accepts connections

Confirm that your DB instance is currently in the AVAILABLE state. For more information, see the Amazon Relational Database Service (Amazon RDS) and Aurora documentation for DB instance status. Also, see How do I resolve problems when connecting to my Amazon RDS DB instance?

Troubleshoot connections that use DB credentials

Incorrect password

Make sure that you're inputting the correct user name and password when trying to connect to the database. Don't use special characters in the password. For more information, refer to How do I reset the primary user password for my Amazon RDS DB instance?

Incorrect user name

Check if the user exists:

mysql> SELECT user FROM mysql.user WHERE User='username';

If the user doesn't exist, then create a new user:

mysql> CREATE USER 'username'@'%' IDENTIFIED BY 'new-password-here';

mysql> FLUSH
        PRIVILEGES;

For more information, see Primary user account privileges.

Connecting from the wrong host

When you try to connect to your DB instance, be sure to specify the correct host (with -h flag) and port. Check your Amazon RDS hostname and port by reviewing the Instance page on the Amazon RDS console. For more information, see Connecting to an Amazon Aurora DB cluster.

User exists but client host doesn’t have permission client to connect

Check which host user/host MySQL allows connections from:

mysql> SELECT host, user FROM mysql.user WHERE User='username';

Then, create a user with the correct host (client IP), or with the % (wildcard) to match any possible IP address:

mysql> CREATE USER 'dbuser'@'%' IDENTIFIED BY 'new-password-here';

SSL is required but the client is not using it

Check if there are users that have SSL enforced by running the following query on your DB instance:

mysql> SELECT * FROM mysql.user WHERE ssl_type <> '';

If the user has SSL is enforced, then you must connect using SSL. For more information, refer to Using SSL/TLS to encrypt a connection to a DB cluster.

Duplicate users

Check if there are users with the same user name:

mysql> SELECT host, user FROM mysql.user WHERE User='username';

To resolve this issue, log in using another user (duplicate primary user) or a user with permissions to DROP other users. After the secondary user is dropped, the first user can connect as normal.

For more information, see How do I create another primary user for my Amazon RDS DB instance that is running MySQL?

Special characters in the password are being converted by Bash

Prevent Bash from interpreting special characters by wrapping password in single quotes.

A connection packet does not contain the right information

It takes more than connect_timeoutseconds to obtain a connect packet. After you discuss it with your DBA, you can adjust the value of this DB parameter to better understand your queries and workload.

The max_allowed_packet variable value is too small or queries require more memory than you have allocated for the DB instance

The max_allowed_packetvalue is small by default. This allows the value to catch large, and possibly incorrect, packets. If you're using large BLOB columns or long strings, then increase the value of max_allowed_packet. For more information, see Best practices for configuring parameters for Amazon RDS for MySQL.

Troubleshoot connections that use IAM authentication

To connect, see How do I allow users to authenticate to an Amazon RDS MySQL DB instance using their IAM credentials?

If you can't connect, then see Why am I getting an Access Denied error when I try to connect to Amazon RDS for MySQL using IAM authentication?

Troubleshoot connections that use Amazon RDS Proxy

To connect, see How do I connect to my Amazon RDS MySQL DB instance or Aurora MySQL DB cluster using Amazon RDS Proxy?

If you can't connect, then see Why can't I connect to my Amazon RDS DB or Amazon Aurora DB instance using RDS Proxy?

---

Related information

Connecting to an Amazon Aurora MySQL DB cluster

IAM database authentication for MariaDB, MySQL, and PostgreSQL

Working with parameter groups

How can I troubleshoot connectivity to an Amazon RDS DB instance that uses a public or private subnet of a VPC?