Connection denied using RDS proxy user different than master username

Question

I'm trying to set up a RDS proxy to serve mysql databases to my applications.

The most of the apps run with a username and password equals to master username set on RDS database, which have all grants.

I'm trying to access My RDS instance with a username and passwords different than master username and it gets "Connection denied using password (YES)"

this user have permissions to access only a mysql db.

I have searched the whole web to find the answer to this. How can I connect to RDS via Proxy using different users?

PS.: My RDS instance is using native authentication.

Answer 1

I've noticed that our (default) IAM policy wasn't pointed at the correct KMS resource. The resource should be the ARN for the KMS key that's decrypting the secret, but instead, it was its name.

It's the second time it happens to me, so I hope it helps someone in the future!

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GetSecretValue",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:secretsmanager:us-east-1:xxxxxxxxxxx:secret:zzzzzzzzz"
            ]
        },
        {
            "Sid": "DecryptSecretValue",
            "Action": [
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:kms:us-east-1:xxxxxxxxxxx:key/yyyyyyy"
            ],
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com"
                }
            }
        }
    ]
}

Answer 2

Try always use a Secret name that you can wildcard in the RDS policy like rds/prod/db_username

Review your RDS Proxy policy and wildcard de secretmanager resource like :

"arn:aws:secretsmanager:us-east-1:ACCOUNTNUMBER:secret:**rds/prod/***"