4

I'm getting a connection timeout when I try to connect to mysql rds proxy. I'm followed this tutorial

This is my code

import mysql2 from 'mysql2';
import AWS from 'aws-sdk';
const getConnection = async () => {
    const signer = new AWS.RDS.Signer({
        username: 'my-user-name',
        hostname: 'proxy-name.proxy-someid.us-east-1.rds.amazonaws.com',
        port: 3306
    });

    console.info('Connecting to MySQL proxy via IAM authentication');

    const rdsSignerAuth = () => () => {
        console.info('CALL rdsSignerAuth');
        return signer.getAuthToken({
            username: 'my-user-name',
            region: 'us-east-1',
            hostname: 'proxy-name.proxy-someid.us-east-1.rds.amazonaws.com',
            port: 3306
        });
    };

    let connection;
    try {
        connection = await mysql2.createConnection({
            host: 'proxy-name.proxy-someid.us-east-1.rds.amazonaws.com',
            user: 'my-user-name',
            database: 'database-name',
            connectTimeout: 60000,
            ssl: { rejectUnauthorized: false },
            authPlugins: { mysql_clear_password: rdsSignerAuth },
        });
        console.info('Connected');
    }
    catch (e) {
        console.error(`MySQL connection error: ${e}`);
        throw e;
    }
    return connection;
};
const mysql2Impl = async () => {
    const connection = await getConnection();
    //console.info({ type: 'connection', connection });
    const result = await connection.promise().query('select * from destiny;');
    console.info({ type: 'result', result });
};
export async function testRdsProxy(event, context){
    console.info(JSON.stringify({ event, context }));
    await mysql2Impl();
    return 200;
}

And this is the response

Error {
    code: 'ETIMEDOUT',
    errno: undefined,
    message: 'connect ETIMEDOUT',
    sqlState: undefined,
  }

I already checked that my lambda function has a policy "rds-db:connect" to "*" resource. Besides, I checked that my proxy is in the same VPC and subnet that my rds db. The secret that holds the credentials to RDS is ok. What I am doing wrong?

Vladimir Venegas
  • 3,894
  • 5
  • 25
  • 45
  • Have you enabled logging on proxy? please check the logs and update. I have got it working, might be able to help. – DEVCNN May 18 '20 at 13:50

3 Answers3

9

The doc states that the RDS proxy cannot be accessed public, so your lambda function need to be in the same security group with the rds proxy. Please aware that when you make your lambda into a vpc, your lambda may lost its ability to access internet. Thank you.

ninjjshd
  • 128
  • 1
  • 7
  • 1
    Yes, finally work. I put the lambdas on a dmz, in the same vpc. Now lambdas can connect to rds proxy and still has public ip and internet access – Vladimir Venegas Jul 28 '20 at 13:52
  • 1
    Do the RDS Proxy and Lambda need to be in the same security group or just the same VPC? – sdgfsdh Dec 01 '20 at 14:43
  • @sdgfsdh just the same VPC. But on the proxy SG you need to allow inbound traffic from the Lambda SG – ahfx Jan 28 '22 at 00:48
1

You can connect RDS proxy even outside VPC by doing VPC peering from same or different account. I did it for one of the project

harshal bhavsar
  • 59
  • 6
0

  • If you pass IAM certification
    check the user-name(mysql user) has execute [INVOKE LAMBDA] permission

  • If IAM authentication fails
    you should let the proxy setup wizard automatically create an IAM like below
    Connectivity > IAM role > Create IAM role
                         > IAM authentication > Required

Hyper
  • 11
  • 2