By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Authentication error while connecting to MySQL RDS using IAM Authentication with VPN

0

We have a MySQL RDS in a private subnet which is setup to use IAM authentication. Everything works as expected. Once we attach a policy to the users that restricts access to AWS resources from a specific IP which is the VPN instance public IP. Authentication does not work. We are able to generate token from CLI, it works without the VPN only policy attached but the token does not work once the VPN only policy is applied. VPN is setup to route all requests to *.amazonaws.com through the VPN instance.

Topics
Networking & Content DeliverySecurity, Identity, & ComplianceDatabase
Tags
Amazon VPCAWS Identity and Access ManagementDatabase
Language
English
ChallaPradyumnaHiver
asked a year ago255 views
1 Answer
0

Usually when you connect through VPN. You get private IP assigned from a pool in VPN.

Then there are two scenarios.

1- Traffic gets NAT to Private ENI IP of VPN instance or 2- Traffic dont get NAT but pass actual IPassigned to users through NAT pool of VPN instance.

I would suggest to try adding both Private ENI IP of Nat instance and User pool of VPN in your IAM policy to test again.

Otherwise VPC Flow logs of MySQL RDS can also show what IP is source IP when it hits MySQL and build policy with that

Muhammad
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content