Why do I get an "Access Denied" error when I use IAM authentication to try to connect to Amazon RDS for MySQL?
I want to use AWS Identity and Access Management (IAM) authentication to connect to my Amazon Relational Database Service (Amazon RDS) for MySQL instance. But, I get an "Access Denied" error.
Short description
Error messages can occur for insufficient IAM role permissions, turned off IAM authentication, misconfigurations of the database user, or an error in the connection string. You might get an error message that looks similar to the following:
"ERROR 1045 (28000): Access denied for user 'root'@'10.0.4.253' (using password: YES)"
Use the AWSSupport-TroubleshootRDSIAMAuthentication runbook to automatically verify the configuration required for IAM authentication with an Amazon RDS instance, then use the resolutions to resolve this error.
Resolution
Insufficient IAM role permissions
To use IAM database authentication to connect to your Amazon RDS for MySQL instance, you must have access to the rds-db:connect Action. For more information, see Creating and using an IAM policy for IAM database access.
If you use service control policies (SCPs), then make sure that your policy allows connections to the database instance. For more information, see Creating organization policies with AWS Organizations.
Turn on IAM authentication
By default, IAM authentication is turned off for database instances. To turn on IAM authentication, complete the following steps:
- Open the Amazon RDS console.
- Select the instance.
- Choose Modify.
- For Database Authentication, choose Password.
- Select the IAM database authentication.
- To update your configuration settings, choose Continue.
- To modify the instance, choose Apply.
Note: If you choose Apply Immediately when you update your cluster configuration settings, then all pending modifications are applied immediately rather than during a maintenance window. This action might cause an extended outage for your Amazon RDS for MySQL instance. For more information, see Schedule modifications setting.
Misconfigured database user
The AWSAuthenticationPlugin handles the IAM authentication for your Amazon RDS for MySQL instance. To confirm that this plugin connects to your IAM role, run the following command:
select user,plugin,host from mysql.user where user like '%db-user-name%';
Note: Replace db-user-name with your database username.
Example output:
+------+-------------------------+------+| user | plugin | host | +------+-------------------------+------+ | root | AWSAuthenticationPlugin | % | +------+-------------------------+------+ 1 row in set (0.00 sec)
If the IAM role uses a specific host, then you must use that hostname. Also, make sure that you have permissions to access the specified database.
To view the permissions granted to a user, use following command:
show grants for user;
Note: Replace user with the user name.
To grant privileges to another user, use the following command:
grant select on mydb.mytable to user;
Note: Replace mydb with your database instance name, mytable with your table name, and user with your username.
For more information on see GRANT Statement on the MySQL website.
Incorrect connection string
To connect to the Amazon RDS for MySQL database, use the --enable-cleartext-plugin option in your connection string. The --enable-cleartext-plugin syntax acts as an authentication token, and you must use it for the database connection and when you configure the database user.
Example connection string:
$ mysql -h <endpoint> -P 3306 --enable-cleartext-plugin --user=RDSConnect --password=$
Related information
- Language
- English
Relevant content
- asked a year ago
