0

I have service running in AWS account A1 and that has the AWS IAM role R1. My service is attached to a service account that has access to role R1.

Now I have an RDS MySQL cluster setup in a different AWS account A2 and that account has a role R2 which has access to connect to RDS cluster.

DB connect permission looks something like below in R2

{
    "Statement": [
        {
            "Action": "rds-db:connect",
            "Effect": "Allow",
            "Resource": "arn:aws:rds-db:*:<accountid>:dbuser:cluster-avcd/<user>"
        }
    ],
    "Version": "2012-10-17"
}

The R2 role also have trust relationship with IAM role R1, so that R1 can assume R2

I am using Python (in my service which is running in account A1), to connect to the RDS MySQL database using IAM auth by assuming role R2. I had used the code below

#to generate db auth token below is the code
    def generate_auth_token(self,username,aws_arn,region,db_host):
        credentials = self.assume_role(aws_arn)
        rds_client = boto3.client(
            'rds',
            region_name=region,
            aws_access_key_id=credentials['AccessKeyId'],
            aws_secret_access_key=credentials['SecretAccessKey'],
            aws_session_token=credentials['SessionToken']
        )
        token = rds_client.generate_db_auth_token(
            DBHostname=db_host,
            Port=3306,
            DBUsername=username
        )
        return token


#Using above token to connect to db in below code
AwsWrapperConnection.connect(
                connect,
                host=host,
                port=port,
                database=db_name,
                user=username,
                password=token,
                ssl_disabled=False,
                client_flags=[ClientFlag.SSL],
                plugins='iam',
                wrapper_dialect='aurora-mysql'
            )

I am getting this error "access denied "Error occurred while opening a connection: 1045 (28000): Access denied for user 'db_user'@'{ip}' (using password: YES)"

I feel that somehow the way I am using assumed role cred in AwsWrapperConnection.connect method is not right when using IAM plugin, I have tried lot of ways from the internet but none of them worked.

What can I try next?

A role R1 already have permission to assume Role R2 in account B.

{

"Effect": "Allow",

"Action": "sts:AssumeRole", [Not DB connect it needs assume role in account B role R2]

"Resource": "arn:aws:iam::<Account-A2-ID>:role/R2"

}
Improve this question
Related questions
1
AWS RDS MySQL connection using IAM Role is not working
45
can AWS Lambda connect to RDS mySQL database and update the database?
84
Difference between IAM role and IAM user in AWS
Load 4 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.