Access denied error when trying to access and query my Aurora DSQL cluster

Question

Here's a [link to the source code](https://drive.google.com/file/d/11-CV6s6dolvecGNaYQ0bQOShoVWBd_2E/view?usp=drive_link) that I'm referring to.

As you can see, I'm fetching the endpoint of my Aurora DSQL cluster from the secrets parameter store, and generating an admin auth token to connect to the cluster. I wrote the code using [this page](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/SECTION_program-with-nodejs.html) from the Aurora DSQL user guide. When I run the code file given in the Drive link above (`managedb-sql.js`) in my command prompt to try to connect, I keep getting an error that says `error: unable to accept connection, access denied`. I also ran the same code in a Lambda function on my local machine using `amplify mock function` and I got a TypeError this time:

`TypeError [ERR_UNKNOWN_ENCODING]: Unknown encoding: error: unable to accept connection, access denied`

I'm the one who created the cluster so I should have administrative permissions to access it, and I know my host endpoint is correct. I tried copying an auth token from my console and pasting it into my code instead of generating it using `getDbConnectAdminAuthToken()` and it worked. Can anyone tell me what the issue is here?

re:Post Agent · Answer

It appears that the issue you're experiencing is related to authentication and authorization when trying to connect to your Aurora DSQL cluster. Since you mentioned that using a token copied from the console worked, but the programmatically generated token didn't, the problem likely lies in the token generation process or the permissions associated with the IAM role being used.

Here are a few things to check and try:

1. Ensure that the IAM role or user you're using to generate the token has the necessary permissions. For admin access, the IAM policy should include the `dsql:DbConnectAdmin` action.

2. Verify that the IAM credentials being used by your application (whether running locally or in Lambda) are correct and have the required permissions.

3. Check if your token is being generated correctly. The token should be valid for 15 minutes. Make sure your local machine's clock is synchronized correctly, as time skew can cause authentication issues.

4. If you're running this in a Lambda function, ensure that the Lambda execution role has the necessary permissions to generate the token and connect to the Aurora DSQL cluster.

5. Double-check that you're using the correct cluster endpoint. The endpoint for Aurora DSQL might be different from standard Aurora endpoints.

6. Ensure that your cluster's security group allows incoming connections from your client's IP address or the Lambda function's VPC.

7. If you're using a customer-managed key for encryption, make sure your IAM role has the necessary permissions on that key, including `kms:DescribeKey` and `kms:CreateGrant`.

If the issue persists after checking these points, you might want to enable more detailed logging or use AWS CloudTrail to get more information about the access denied error. This could help pinpoint whether it's an IAM permission issue, a network access problem, or something else.

Remember that Aurora DSQL is a preview service, so there might be some limitations or issues that are not yet fully documented. If you continue to face problems, it might be worth reaching out to AWS support for more detailed assistance.  
**Sources**  
[Understanding authentication and authorization for Aurora DSQL - Amazon Aurora DSQL](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/authentication-authorization.html)  
[Access denied in AWS aurora (RDS database) | AWS re:Post](https://repost.aws/questions/QUZalZir_KRoeKgz7-1dGZCQ/access-denied-in-aws-aurora-rds-database)

Access denied error when trying to access and query my Aurora DSQL cluster

Add your answer

Relevant content