Database access denied for AWS RDS proxy

Question

I have setup a RDS proxy for Aurora DB. I am able to connect to the RDS proxy endpoint but not able to perform any operations.

For e.g if I do show processlist; I get below error: ERROR 1045 (28000): Database Access denied for user 'admin'@'ip-address' (using password: YES)

Note: I am able to access RDS endpoint and perform all the operations.

Thanks in advance!

Answer 1

I encountered this same issue. Turns out it was related to the auto-generated IAM role permissions.

The secrets manager had 2 user accounts added to it (with verified correct credentials), and both were added to the RDS proxy. However, only the first user account worked. The second user account would get a permission denied error.

Checking the CloudWatch logs, I saw a message similar to:

Credentials couldn't be retrieved. The IAM role "arn:aws:iam::ACCOUNT:role/service-role/rds-proxy-role-TIMESTAMP" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:REGION:ACCOUNT:secret:SECRET_NAME"

When I looked at the IAM policy for the rds-proxy-role-TIMESTAMP role, it had only been granted access to the secret for the first user. This appears to be an issue with the creation of the IAM role when the proxy is set up.

To resolve it, I modified the policy for the rds-proxy-role-TIMESTAMP role to give it access to the ARN for the second user's secret as well. After a few minutes, I was able to log in as the second user.

Answer 2

If you are getting a Database access denied error please check the user permissions in RDS first.

If you can connect to RDS directly with this credentials, check that credentials in Secret Manager are the same.

Then check if you RDS Proxy policy has permission to access all you Secret Manager records as I mention here https://stackoverflow.com/a/73649818/4642536