# ERROR 1045 (28000)：用户 'db_user'@'ip-10-0-1-5.ec2.internal' 访问被拒绝（未使用密码）——RDS 实例 'mydb' 的 IAM 身份验证失败

- **ID:** `cloud/aws-rds-iam-auth-connection-refused`
- **领域:** cloud
- **类别:** auth_error
- **错误码:** `1045`
- **验证级别:** ai_generated
- **修复率:** 88%

## 根因

IAM 数据库身份验证令牌缺失、已过期，或 RDS 实例未配置为要求 IAM 身份验证，导致连接失败。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| aws_cli | active | — | — |
| mysql | active | — | — |
| rds | active | — | — |

## 解决方案

1. ```
   Enable IAM auth on the RDS instance: `aws rds modify-db-instance --db-instance-identifier mydb --enable-iam-database-authentication --apply-immediately`. Then create a database user with `CREATE USER 'db_user'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; GRANT ALL ON mydb.* TO 'db_user'@'%';`
   ```
2. ```
   Generate a fresh token within 15 minutes of connection: `RDSHOST="mydb.123456789012.us-east-1.rds.amazonaws.com" && TOKEN=$(aws rds generate-db-auth-token --hostname $RDSHOST --port 3306 --username db_user) && mysql -h $RDSHOST -P 3306 -u db_user --enable-cleartext-plugin --password=$TOKEN`
   ```

## 无效尝试

- **** — If the RDS instance has `require_iam_auth` enabled, password-based login is disabled. (70% 失败率)
- **** — The token may be valid but the RDS instance's parameter group doesn't have `require_secure_transport` or `aws_default_iam_auth` enabled. (50% 失败率)