- Newest
- Most votes
- Most comments
Hi Gary, yes, the CREATE USER statement did include the IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'.
Hm, apologies, I thought that I had also included output of a SELECT ... FROM mysql.user. Here it is:
select user,plugin,host from mysql.user;
'myIAMuser', 'AWSAuthenticationPlugin', '%'
When you created the user in MYSQL did you set the IDENTIFIED?
CREATE USER myIAMuser IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
The most likely cause of the issue is the incorrect IAM policy ARN format. The ARN provided in the policy does not seem to match the required format.
Ensure the db-instancestring in the ARN matches the actual DBInstanceIdentifier of your RDS instance. Correct the ARN format for the user:
"arn:aws:rds-db:eu-west-2:<AccountID>:dbuser:<DBInstanceID>/<IAMDBUser>"
You can retrieve the correct DBInstanceIdentifier via:
aws rds describe-db-instances --region eu-west-2 --query "DBInstances[*].DBInstanceIdentifier"
This mismatch in the ARN is the most probable cause of the Access Denied error you're seeing.
Thank you Giovanni. So, clearly, I had misunderstood what was the db "instance" "identifier". However, changing my IAM policy to:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource": [
"arn:aws:rds-db:eu-west-2:271169831438:dbuser:testdb/liboveiam",
"arn:aws:rds-db:eu-west-2:271169831438:dbuser:crmgdataprod1/liboveiam",
"arn:aws:rds-db:eu-west-2:271169831438:dbuser:rg-prod2-db1/liboveiam",
"arn:aws:rds-db:eu-west-2:271169831438:dbuser:rg-test2-db/liboveiam"
]
}
]
}
(that is, database names e.g. "testdb" instead of "db-LONGSTRING" as I had had originally) .. still failed to get me past the Access Denied error.
The IAM policy is "inline" - that is, in the AWS IAM console, under the user to whom I want to grant IAM database access, in the Permissions policies section, there is a policy of type "Customer inline", attached via "inline", which is the above. Even if I got the IAM policy text correct now, am I attaching the policy wrong?
Also, in the same way that I got the database instance IDs wrong, am I specifying the IAM user name incorrectly? (that "liboveiam" above comes from the MySQL GRANT statement, i.e. "GRANT various,things ON . TO liboveiam
@%
WITH GRANT OPTION).
(I also tried changing the IAM policy to specify arn:aws:.......:dbuser:databasename/jlibove", where "jlibove" is my AWS IAM login User Id on the AWS console. That, too, produced the Access Denied error.)
I'm sorry that I must be being dense about this, and I appreciate the assistance.
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
Thanks Jay