# ERROR 1045 (28000): Access denied for user 'db_user'@'ip-10-0-1-5.ec2.internal' (using password: NO) - IAM authentication failed for RDS instance 'mydb'

- **ID:** `cloud/aws-rds-iam-auth-connection-refused`
- **Domain:** cloud
- **Category:** auth_error
- **Error Code:** `1045`
- **Verification:** ai_generated
- **Fix Rate:** 88%

## Root Cause

The IAM database authentication token is missing, expired, or the RDS instance is not configured to require IAM authentication, causing the connection to fail.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| aws_cli | active | — | — |
| mysql | active | — | — |
| rds | active | — | — |

## Workarounds

1. **Enable IAM auth on the RDS instance: `aws rds modify-db-instance --db-instance-identifier mydb --enable-iam-database-authentication --apply-immediately`. Then create a database user with `CREATE USER 'db_user'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; GRANT ALL ON mydb.* TO 'db_user'@'%';`** (95% success)
   ```
   Enable IAM auth on the RDS instance: `aws rds modify-db-instance --db-instance-identifier mydb --enable-iam-database-authentication --apply-immediately`. Then create a database user with `CREATE USER 'db_user'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; GRANT ALL ON mydb.* TO 'db_user'@'%';`
   ```
2. **Generate a fresh token within 15 minutes of connection: `RDSHOST="mydb.123456789012.us-east-1.rds.amazonaws.com" && TOKEN=$(aws rds generate-db-auth-token --hostname $RDSHOST --port 3306 --username db_user) && mysql -h $RDSHOST -P 3306 -u db_user --enable-cleartext-plugin --password=$TOKEN`** (90% success)
   ```
   Generate a fresh token within 15 minutes of connection: `RDSHOST="mydb.123456789012.us-east-1.rds.amazonaws.com" && TOKEN=$(aws rds generate-db-auth-token --hostname $RDSHOST --port 3306 --username db_user) && mysql -h $RDSHOST -P 3306 -u db_user --enable-cleartext-plugin --password=$TOKEN`
   ```

## Dead Ends

- **** — If the RDS instance has `require_iam_auth` enabled, password-based login is disabled. (70% fail)
- **** — The token may be valid but the RDS instance's parameter group doesn't have `require_secure_transport` or `aws_default_iam_auth` enabled. (50% fail)