1045
cloud
auth_error
ai_generated
true
ERROR 1045 (28000):用户 'db_user'@'ip-10-0-1-5.ec2.internal' 访问被拒绝(未使用密码)——RDS 实例 'mydb' 的 IAM 身份验证失败
ERROR 1045 (28000): Access denied for user 'db_user'@'ip-10-0-1-5.ec2.internal' (using password: NO) - IAM authentication failed for RDS instance 'mydb'
ID: cloud/aws-rds-iam-auth-connection-refused
88%修复率
90%置信度
1证据数
2024-01-05首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| aws_cli | active | — | — | — |
| mysql | active | — | — | — |
| rds | active | — | — | — |
根因分析
IAM 数据库身份验证令牌缺失、已过期,或 RDS 实例未配置为要求 IAM 身份验证,导致连接失败。
English
The IAM database authentication token is missing, expired, or the RDS instance is not configured to require IAM authentication, causing the connection to fail.
官方文档
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html解决方案
-
Enable IAM auth on the RDS instance: `aws rds modify-db-instance --db-instance-identifier mydb --enable-iam-database-authentication --apply-immediately`. Then create a database user with `CREATE USER 'db_user'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; GRANT ALL ON mydb.* TO 'db_user'@'%';`
-
Generate a fresh token within 15 minutes of connection: `RDSHOST="mydb.123456789012.us-east-1.rds.amazonaws.com" && TOKEN=$(aws rds generate-db-auth-token --hostname $RDSHOST --port 3306 --username db_user) && mysql -h $RDSHOST -P 3306 -u db_user --enable-cleartext-plugin --password=$TOKEN`
无效尝试
常见但无效的做法:
-
70% 失败
If the RDS instance has `require_iam_auth` enabled, password-based login is disabled.
-
50% 失败
The token may be valid but the RDS instance's parameter group doesn't have `require_secure_transport` or `aws_default_iam_auth` enabled.