AWS IAM role RDS authentication failure

Question

Trying to create a process for IAM role based authentication to my RDS instance per AWS wiki, but no matter what I seem to do I get a basic auth failure akin to a bad password, with no logging anywhere to give me more insights into the problem. My steps to reproduce:

Ensure IAM authentication is enabled in RDS instance.

Create a role db_user_test with RDSFullAccess policy and the following inline policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "rds-db:connect",
        "Resource": "arn:aws:rds:us-west-1:##########:db:foo_bar_instance/db_user_test"
    }
]
}

Tag test ec2 instance with role.

Login to RDS instance and enable grants:

mysql> CREATE USER db_user_test IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
Query OK, 0 rows affected (0.01 sec)

mysql> GRANT USAGE ON *.* TO 'db_user_test'@'%'REQUIRE SSL;
Query OK, 0 rows affected (0.01 sec)

mysql> show grants for 'db_user_test'@'%';
+------------------------------------------------------+
| Grants for db_user_test@%                            |
+------------------------------------------------------+
| GRANT USAGE ON *.* TO 'db_user_test'@'%' REQUIRE SSL |
+------------------------------------------------------+
1 row in set (0.00 sec)

mysql>

Generate token and attempt to authenticate:

[root@ip-10-101-115-129 ~]# bash -x test_auth_new.sh
+ RDSHOST=foo.bar.us-west-1.rds.amazonaws.com
++ aws rds generate-db-auth-token --hostname foo.bar.us-west-1.rds.amazonaws.com --port 3306 --username db_user_test
+ TOKEN='foo.bar.us-west-1.rds.amazonaws.com:3306/?TOKEN_HERE'
+ SSL_CERT=/root/rds-combined-ca-bundle.pem
+ mysql --host=foo.bar.us-west-1.rds.amazonaws.com --port=3306 --verbose --ssl-ca=/root/rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY --user=db_user_test '--password=foo.bar.us-west-1.rds.amazonaws.com:3306/?TOKEN_HERE' --enable-cleartext-plugin
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'db_user_test'@'10.101.115.129' (using password: YES)

I've verified native access works fine from the instance so I'm definitely not getting blocked anywhere except authenticating. Anyone ever get stuck with this before with suggestions?

`foo_bar_instance` must be the unique, system-assigned `db-4LPH4NUM3R1C` db identifier assigned by the system and visible in the console, not the name of the db instance. Is that what you used there? Also, after the account number in the ARN is `dbuser:`, not `db:`. — Michael - sqlbot, May 25 '18 at 23:20
Fixed the in-line policy to reflect the proper syntax: `{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "rds-db:connect", "Resource": "arn:aws:rds-db:us-west-2:########:dbuser:db-IDENTIFIER/db_user_test" } ] }` still fails to authenticate — Ethan Shrago, May 29 '18 at 18:50

score 0 · Answer 1 · answered May 30 '18 at 20:03

Authentication issue was resolved. I determined using the --debug flag issuing the aws rds generate-db-auth-token command that the client was using a found .aws/config profile that differed from what was needed to login. Moving this config out of the way and reformatting the inline policy to correctly identify the resource corrected this issue, and I am now able to authenticate to my RDS instance with the auth token.

AWS IAM role RDS authentication failure

1 Answers1