By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Authentication error while connecting to MySQL RDS using IAM Authentication with VPN

0

We have a MySQL RDS in a private subnet which is setup to use IAM authentication. Everything works as expected. Once we attach a policy to the users that restricts access to AWS resources from a specific IP which is the VPN instance public IP. Authentication does not work. We are able to generate token from CLI, it works without the VPN only policy attached but the token does not work once the VPN only policy is applied. VPN is setup to route all requests to *.amazonaws.com through the VPN instance.

1 Answer
0

Usually when you connect through VPN. You get private IP assigned from a pool in VPN.

Then there are two scenarios.

1- Traffic gets NAT to Private ENI IP of VPN instance or 2- Traffic dont get NAT but pass actual IPassigned to users through NAT pool of VPN instance.

I would suggest to try adding both Private ENI IP of Nat instance and User pool of VPN in your IAM policy to test again.

Otherwise VPC Flow logs of MySQL RDS can also show what IP is source IP when it hits MySQL and build policy with that

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions