How to authenticate in MySQL RDS using IAM DB Authentication and Python

Question

I have an AWS RDS DB running MySQL 5.6.39, with IAM DB Authentication Enabled.

First of all, I completed with success the Tutorial: Configuring a Lambda Function to Access Amazon RDS in an Amazon VPC and this was my starting point for the next steps.

I want to log in with IAM credentials and so, following this and this tutorials, I did:

1. When I created the RDS MySQL instance, I selected Enabling IAM database authentication .

2. Created a user named lambda :

    CREATE USER 'lambda' IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS'; GRANT ALL PRIVILEGES ON test_db.* TO 'lambda'@'%'; FLUSH PRIVILEGES; 

3. Created an IAM policy, and attached it to the role I was using as an Execution role for my lambda function:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds-db:connect" ], "Resource": [ "<DB-ARN>/lambda" ] } ] } 

4. Created a lambda function:

    import sys import boto3 import logging import pymysql #rds settings rds_host = "<RDS-ENDPOINT>" username = "lambda" db_name = "test_db" logger = logging.getLogger() logger.setLevel(logging.INFO) client = boto3.client('rds',region_name='eu-west-2') token = client.generate_db_auth_token(rds_host,3306, name) ssl = {'ca': 'rds-combined-ca-bundle.pem'} logger.info("token: "+ token) conn = pymysql.connect(rds_host, user=username, passwd=token, db=db_name, connect_timeout=5, ssl=ssl) logger.info("SUCCESS: Connection to RDS mysql instance succeeded") def handler(event, context): ... 

5. I got the following error:

    error: (1045, "Access denied for user 'lambda'@'<LAMBDA_IP>' (using password: YES)") 

In an attempt to find If it was a python error I used AWS CLI, from an EC2 instance with the policy attached.

1. Get the token:

    aws rds generate-db-auth-token --hostname <RDS-ENDPOINT> --port 3306 --username lambda 

2. Connect to the DB, using the token I got in the last step:

    mysql -h <RDS-ENDPOINT> -u lambda --enable-cleartext-plugin --password='<TOKEN>' 

3. I got the same error:

    mysql: [Warning] Using a password on the command line interface can be insecure. ERROR 1045 (28000): Access denied for user 'lambda'@'<EC2_IP>' (using password: YES) 

Answer 1

The policy is not correct!

The Resource is not the DB ARN, but "arn:aws:rds-db:<AWS_REGION>:<AWS_ACCOUNT_ID>:dbuser:<AWS_DB_RESOURCE_ID>/<DB_USERNAME>"

To get this information from the management console, you can go to:

• AWS_REGION - The region code, for example eu-west-2 or any other from here .
• AWS_ACCOUNT_ID - Get it from the Account Settings .
• AWS_DB_RESOURCE_ID - Find it in Details\\Configuration\\Resource ID in the DB page and it starts with db- .
• DB_USERNAME - Is lambda because it was the one created in step 2.

By the way, and as Michael - sqlbot pointed out here and in this answer , the generation of the token is local so getting it should not be interpreted as getting a correct password.