AWS IAM role RDS authentication failure


Trying to create a process for IAM role based authentication to my RDS instance per AWS wiki, but no matter what I seem to do I get a basic auth failure akin to a bad password, with no logging anywhere to give me more insights into the problem. My steps to reproduce:

Ensure IAM authentication is enabled in RDS instance.

Create a role db_user_test with RDSFullAccess policy and the following inline policy:

"Version": "2012-10-17",
"Statement": [
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "rds-db:connect",
        "Resource": "arn:aws:rds:us-west-1:##########:db:foo_bar_instance/db_user_test"

Tag test ec2 instance with role.

Login to RDS instance and enable grants:

mysql> CREATE USER db_user_test IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
Query OK, 0 rows affected (0.01 sec)

mysql> GRANT USAGE ON *.* TO 'db_user_test'@'%'REQUIRE SSL;
Query OK, 0 rows affected (0.01 sec)

mysql> show grants for 'db_user_test'@'%';
| Grants for db_user_test@%                            |
| GRANT USAGE ON *.* TO 'db_user_test'@'%' REQUIRE SSL |
1 row in set (0.00 sec)


Generate token and attempt to authenticate:

[root@ip-10-101-115-129 ~]# bash -x
++ aws rds generate-db-auth-token --hostname --port 3306 --username db_user_test
+ TOKEN=''
+ SSL_CERT=/root/rds-combined-ca-bundle.pem
+ mysql --port=3306 --verbose --ssl-ca=/root/rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY --user=db_user_test '' --enable-cleartext-plugin
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'db_user_test'@'' (using password: YES)

I've verified native access works fine from the instance so I'm definitely not getting blocked anywhere except authenticating. Anyone ever get stuck with this before with suggestions?

Best Answer

Authentication issue was resolved. I determined using the --debug flag issuing the aws rds generate-db-auth-token command that the client was using a found .aws/config profile that differed from what was needed to login. Moving this config out of the way and reformatting the inline policy to correctly identify the resource corrected this issue, and I am now able to authenticate to my RDS instance with the auth token.