By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access Denied error when using Lambda IAM role to access Amazon RDS for MySQL

0

I'm currently using credentials with AWS Secrets Manager for connectivity from Amazon EC2/ECS/Lambda to AWS services such as Amazon RDS. I would like to change that to using IAM roles, so that it can be centrally managed. I've been successful in getting an AWS IAM role attached to an EC2 instance and used tokens to connect the IAM role to the Amazon RDS for MySQL DB instance. (https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/)

When I follow a similar approach following instructions using https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.Java.html in a Lambda function, I'm able to generate the IAM access token. But when tried to connect to Amazon RDS, I get an Access denied error for user 'user'@database ip'. In my console, when I review the AWS Lambda function's resource summary, I see that AWS Lambda has the correct RDS IAM authorization policy configured for the required resource.

I would expect the Lambda execution role(RDSFullAccess and RDS IAM Auth policies) to be sufficient for this connection to RDS. Am I missing anything?

Topics
ServerlessComputeMigration & ModernizationAnalyticsDatabase
Tags
AWS LambdaAmazon Relational Database Service
Language
English
AWS
Abhi
asked 4 years ago969 views
1 Answer
0
Accepted Answer

The instructions you followed for connecting to your DB instance using IAM authentication do not apply to AWS Lambda. The example code from this documentation sets the BasicAWSCredentials awsCredentials and obtains the Amazon RDS authorization token. This approach does not work if you have a Lambda function where you need to assume the IAM role.

Instead, try passing a new DefaultAWSCredentialsProviderChain and let AWS Lambda runtime pick up the correct AWS credentials. For example:

RdsIamAuthTokenGenerator generator = RdsIamAuthTokenGenerator.builder()
        		    .credentials(new DefaultAWSCredentialsProviderChain())
        		    .region(REGION_NAME)
        		    .build();
AWS
Abhi
answered 4 years ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content