1

I have successfully deployed a pod and service for a Spring-Boot-API to AWS-Kubernetes-Cluster (EKS).

The App connects to a MySQL RDS. RDS and EKS are in different VPCs. I configured a Peering connection and also the routes in the VPCs.

The database is public and I can connect from my local environment.

For the cluster, I configured the environment variables in the deployment-YAML and injected them with config-map (secrets for user and pwd)

When the pod starts I get the following error: java.sql.SQLException: Access denied for user 'admin'@'172.31.35.70' (using password: YES)

I guess that this is a network issue, as the username is resolved correctly!

Improve this question
3
  • Normally if it was a network issue you'd get a network error. You're getting an authentication error, implying that you can actually connect to confirm your access is denied Commented Apr 5, 2021 at 11:50
  • That is a helpful hint. But for what reason the user is correctly injected and the password obviously not? Commented Apr 5, 2021 at 13:39
  • I don’t know but it seems to rule out network Commented Apr 5, 2021 at 13:41

1 Answer 1

Reset to default
0

Rule number 1 never make your database public. If you look in the logs, hackers are probably brute-forcing it right now.

The fact you are getting an AccessDenied, suggests the networking is correct, but something is wrong with the password you are supplying.

I would create a bastion in the same subnet as the k8s pod and connect to the database from there with the username and password.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

It is only a test-db! As I wrote I can connect from application to database outside of k8. I would like to keep separate VPCs and looking for a solution for that.
You said you can connect to the DB from your local. I am saying connect to the database from an instance inside the subnet of your k8s application so that you can verify if it is a network issue.
as @Nick.McDermaid supposed -it is not a network issue.
I tested this by stopping the database - then I get a different error, pointing on a network issue. The error is that the password is not correct. I deployed the password with a secret.map where the password is base64-.encoded. It seems that the decoding produces a different result or maybe it is not decoded at all. Interestingly the user (also from the secret-map) is correctly decoded (see error message which says that admin@... has no access). To test this I put the credentials in the configmap (not encoded)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.