{ "id": "cloud/aws-rds-iam-auth-connection-refused", "signature": "ERROR 1045 (28000): Access denied for user 'db_user'@'ip-10-0-1-5.ec2.internal' (using password: NO) - IAM authentication failed for RDS instance 'mydb'", "signature_zh": "ERROR 1045 (28000):用户 'db_user'@'ip-10-0-1-5.ec2.internal' 访问被拒绝(未使用密码)——RDS 实例 'mydb' 的 IAM 身份验证失败", "regex": "ERROR 1045.*Access denied.*IAM authentication failed.*RDS instance", "domain": "cloud", "category": "auth_error", "subcategory": null, "root_cause": "The IAM database authentication token is missing, expired, or the RDS instance is not configured to require IAM authentication, causing the connection to fail.", "root_cause_type": "generic", "root_cause_zh": "IAM 数据库身份验证令牌缺失、已过期,或 RDS 实例未配置为要求 IAM 身份验证,导致连接失败。", "versions": [ { "version": "aws_cli", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "mysql", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "rds", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "If the RDS instance has `require_iam_auth` enabled, password-based login is disabled.", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "", "why_fails": "The token may be valid but the RDS instance's parameter group doesn't have `require_secure_transport` or `aws_default_iam_auth` enabled.", "fail_rate": 0.5, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Enable IAM auth on the RDS instance: `aws rds modify-db-instance --db-instance-identifier mydb --enable-iam-database-authentication --apply-immediately`. Then create a database user with `CREATE USER 'db_user'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; GRANT ALL ON mydb.* TO 'db_user'@'%';`", "success_rate": 0.95, "how": "Enable IAM auth on the RDS instance: `aws rds modify-db-instance --db-instance-identifier mydb --enable-iam-database-authentication --apply-immediately`. Then create a database user with `CREATE USER 'db_user'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; GRANT ALL ON mydb.* TO 'db_user'@'%';`", "condition": "", "sources": [] }, { "action": "Generate a fresh token within 15 minutes of connection: `RDSHOST=\"mydb.123456789012.us-east-1.rds.amazonaws.com\" && TOKEN=$(aws rds generate-db-auth-token --hostname $RDSHOST --port 3306 --username db_user) && mysql -h $RDSHOST -P 3306 -u db_user --enable-cleartext-plugin --password=$TOKEN`", "success_rate": 0.9, "how": "Generate a fresh token within 15 minutes of connection: `RDSHOST=\"mydb.123456789012.us-east-1.rds.amazonaws.com\" && TOKEN=$(aws rds generate-db-auth-token --hostname $RDSHOST --port 3306 --username db_user) && mysql -h $RDSHOST -P 3306 -u db_user --enable-cleartext-plugin --password=$TOKEN`", "condition": "", "sources": [] } ], "workarounds_zh": [ "Enable IAM auth on the RDS instance: `aws rds modify-db-instance --db-instance-identifier mydb --enable-iam-database-authentication --apply-immediately`. Then create a database user with `CREATE USER 'db_user'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; GRANT ALL ON mydb.* TO 'db_user'@'%';`", "Generate a fresh token within 15 minutes of connection: `RDSHOST=\"mydb.123456789012.us-east-1.rds.amazonaws.com\" && TOKEN=$(aws rds generate-db-auth-token --hostname $RDSHOST --port 3306 --username db_user) && mysql -h $RDSHOST -P 3306 -u db_user --enable-cleartext-plugin --password=$TOKEN`" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html", "official_doc_section": null, "error_code": "1045", "verification_tier": "ai_generated", "confidence": 0.9, "fix_success_rate": 0.88, "resolvable": "true", "first_seen": "2024-01-05", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }