IAM role fails to grant RDS access despite correct policy attachment

Cloud Platforms Amazon Web Services (AWS)
, , , , , , , ,
1

We’re implementing IAM database authentication for our RDS PostgreSQL instance. Created an IAM role with rds-db:connect permission and attached it to our EC2 instance, but the application still gets “Access Denied” when trying to connect. The database user is created with rds_iam role granted.

IAM policy attached to role:

{
  "Effect": "Allow",
  "Action": "rds-db:connect",
  "Resource": "arn:aws:rds-db:us-east-1:123456789:dbuser:db-ABCD1234/iamuser"
}

Application is using AWS SDK to generate auth tokens. Connection string includes the token but authentication fails. Is there something wrong with the resource ARN format or policy attachment?

2

First check - is IAM database authentication actually enabled on the RDS instance? It’s not enabled by default. Go to RDS console, select your instance, look under Configuration tab for “IAM database authentication: Enabled”. If it says Disabled, you need to modify the instance to enable it.

3

Your resource ARN looks suspicious. The format should be arn:aws:rds-db:region:account-id:dbuser:resource-id/database-user-name where resource-id is the DBI resource ID (starts with db-), not the DB instance identifier. You can find the DBI resource ID in the RDS console under Configuration tab. Double-check that value in your policy.

4

Check your database user creation. For PostgreSQL, the user must be created with rds_iam role. Log into the database and run: SELECT usename, valuntil FROM pg_user WHERE usename = ‘iamuser’; Also verify the user was granted rds_iam: SELECT * FROM pg_roles WHERE rolname = ‘iamuser’; The user should have inherited the rds_iam role. If not, run: GRANT rds_iam TO iamuser;

5

Just checked - IAM database authentication is enabled on the instance. The setting was turned on when we first created the database last month. Still getting access denied errors though.

6

Let me help you systematically troubleshoot this IAM database authentication issue. The problem involves three key areas: IAM role configuration, RDS IAM auth setup, and proper policy attachment to the execution context.

IAM Role and Policy Verification:

Your policy syntax looks correct, but let’s verify the complete setup:

  1. Check the IAM Role Trust Relationship: The role must allow EC2 service to assume it:
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"Service": "ec2.amazonaws.com"},
    "Action": "sts:AssumeRole"
  }]
}
  1. Verify Instance Profile Attachment: The IAM role must be attached to EC2 via instance profile:
aws ec2 describe-instances --instance-ids i-xxxxx \
  --query 'Reservations[0].Instances[0].IamInstanceProfile'

If this returns null, the role isn’t attached. Attach it:

aws ec2 associate-iam-instance-profile \
  --instance-id i-xxxxx \
  --iam-instance-profile Name=your-instance-profile
  1. Validate Policy Resource ARN: The format is critical. Use this command to get the exact DBI resource ID:
aws rds describe-db-instances \
  --db-instance-identifier your-db-name \
  --query 'DBInstances[0].DbiResourceId'

Your policy resource should be:


arn:aws:rds-db:us-east-1:123456789012:dbuser:db-ABCD1234EFGH5678/iamuser

Note: Account ID should be 12 digits, and DBI resource ID format is db-XXXXX (mix of letters/numbers).

RDS IAM Authentication Setup:

  1. Database User Configuration (PostgreSQL): Connect to the database as master user and verify:
-- Check if user exists and has rds_iam role
SELECT r.rolname, r.rolcanlogin,
       ARRAY(SELECT b.rolname FROM pg_roles b
             WHERE pg_has_role(r.oid, b.oid, 'member')) as memberof
FROM pg_roles r
WHERE r.rolname = 'iamuser';

The output should show iamuser with rds_iam in the memberof array. If not:

CREATE USER iamuser WITH LOGIN;
GRANT rds_iam TO iamuser;
GRANT CONNECT ON DATABASE your_database TO iamuser;
GRANT USAGE ON SCHEMA public TO iamuser;
-- Add additional grants as needed

Application Auth Token Generation:

  1. Verify Token Generation Code: For Python/boto3:
import boto3
client = boto3.client('rds')
token = client.generate_db_auth_token(
    DBHostname='your-db.xxx.us-east-1.rds.amazonaws.com',
    Port=5432,
    DBUsername='iamuser',
    Region='us-east-1'
)

Critical points:

  • Use the RDS endpoint hostname, not IP address
  • Port must match RDS instance port (5432 for PostgreSQL)
  • Username must exactly match database user (‘iamuser’)
  • Region must match RDS instance region
  1. Connection String Format: For PostgreSQL with psycopg2:
import psycopg2
conn = psycopg2.connect(
    host='your-db.xxx.us-east-1.rds.amazonaws.com',
    port=5432,
    database='your_database',
    user='iamuser',
    password=token,
    sslmode='require',
    sslrootcert='rds-ca-2019-root.pem'
)

Critical Requirements:

  • SSL must be enabled (sslmode=‘require’)
  • Token is used as password parameter
  • Token expires after 15 minutes - generate new token for each connection
  • Download RDS SSL certificate from AWS and specify path

Common Issues and Solutions:

A. Token Expiration: Auth tokens are valid for 15 minutes. If your app caches connections longer, regenerate tokens.

B. Security Group: Ensure EC2 instance can reach RDS on port 5432. Security group on RDS must allow inbound from EC2’s security group.

C. Subnet Routing: EC2 and RDS should be in same VPC or have proper routing configured.

D. CloudTrail Verification: Check if IAM role is being assumed correctly:

aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=ResourceName,AttributeValue=your-role-name \
  --max-results 10

Testing Procedure:

  1. SSH to EC2 instance
  2. Verify IAM role credentials are available:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
  1. Generate token using AWS CLI:
aws rds generate-db-auth-token \
  --hostname your-db.xxx.us-east-1.rds.amazonaws.com \
  --port 5432 \
  --username iamuser \
  --region us-east-1
  1. Test connection with psql:
psql "host=your-db.xxx.us-east-1.rds.amazonaws.com port=5432 \
  dbname=your_database user=iamuser password=$TOKEN sslmode=require"

If step 2 fails, the instance profile isn’t attached. If step 3 fails, IAM permissions are wrong. If step 4 fails with “password authentication failed”, the database user setup is incorrect.

Based on your description, most likely issues are:

  1. Instance profile not properly attached to EC2
  2. Token not being regenerated frequently enough
  3. SSL not properly configured in connection string

Verify these three areas and the connection should succeed.

7

Verified the database user has rds_iam role granted. The DBI resource ID in my policy matches what’s shown in the console (db-ABCD1234EFGH5678). Still getting authentication failures. Could there be an issue with how the auth token is being generated or used?