1045
cloud
auth_error
ai_generated
true
ERROR 1045 (28000): Access denied for user 'db_user'@'ip-10-0-1-5.ec2.internal' (using password: NO) - IAM authentication failed for RDS instance 'mydb'
ID: cloud/aws-rds-iam-auth-connection-refused
88%Fix Rate
90%Confidence
1Evidence
2024-01-05First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| aws_cli | active | — | — | — |
| mysql | active | — | — | — |
| rds | active | — | — | — |
Root Cause
The IAM database authentication token is missing, expired, or the RDS instance is not configured to require IAM authentication, causing the connection to fail.
generic中文
IAM 数据库身份验证令牌缺失、已过期,或 RDS 实例未配置为要求 IAM 身份验证,导致连接失败。
Official Documentation
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.htmlWorkarounds
-
95% success Enable IAM auth on the RDS instance: `aws rds modify-db-instance --db-instance-identifier mydb --enable-iam-database-authentication --apply-immediately`. Then create a database user with `CREATE USER 'db_user'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; GRANT ALL ON mydb.* TO 'db_user'@'%';`
Enable IAM auth on the RDS instance: `aws rds modify-db-instance --db-instance-identifier mydb --enable-iam-database-authentication --apply-immediately`. Then create a database user with `CREATE USER 'db_user'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; GRANT ALL ON mydb.* TO 'db_user'@'%';`
-
90% success Generate a fresh token within 15 minutes of connection: `RDSHOST="mydb.123456789012.us-east-1.rds.amazonaws.com" && TOKEN=$(aws rds generate-db-auth-token --hostname $RDSHOST --port 3306 --username db_user) && mysql -h $RDSHOST -P 3306 -u db_user --enable-cleartext-plugin --password=$TOKEN`
Generate a fresh token within 15 minutes of connection: `RDSHOST="mydb.123456789012.us-east-1.rds.amazonaws.com" && TOKEN=$(aws rds generate-db-auth-token --hostname $RDSHOST --port 3306 --username db_user) && mysql -h $RDSHOST -P 3306 -u db_user --enable-cleartext-plugin --password=$TOKEN`
中文步骤
Enable IAM auth on the RDS instance: `aws rds modify-db-instance --db-instance-identifier mydb --enable-iam-database-authentication --apply-immediately`. Then create a database user with `CREATE USER 'db_user'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; GRANT ALL ON mydb.* TO 'db_user'@'%';`
Generate a fresh token within 15 minutes of connection: `RDSHOST="mydb.123456789012.us-east-1.rds.amazonaws.com" && TOKEN=$(aws rds generate-db-auth-token --hostname $RDSHOST --port 3306 --username db_user) && mysql -h $RDSHOST -P 3306 -u db_user --enable-cleartext-plugin --password=$TOKEN`
Dead Ends
Common approaches that don't work:
-
70% fail
If the RDS instance has `require_iam_auth` enabled, password-based login is disabled.
-
50% fail
The token may be valid but the RDS instance's parameter group doesn't have `require_secure_transport` or `aws_default_iam_auth` enabled.