Search code examples
amazon-web-servicesaws-serverlessaws-aurora-serverless

Why am I getting 403s when trying to access an aurora serverless database from a lambda but not from the query editor?

I've spun up an aurora serverless posgres-compatible database and I'm trying to connect to it from a lambda function, but I am getting AccessDenied errors:

AccessDeniedException:
Status code: 403, request id: 2b19fa38-af7d-4f4a-aaa5-7d068e92c901

Details:

  • I can connect to and query the database manually via the query editor if I use the same secret-arn and database name that the lambda is trying to use. I've triple-checked that the arns are correct
  • My lambdas are not in the vpc but are using the data api. The RDS cluster is in the default vpc
  • I've temporarily given my lambdas administrator access so that I know it's not a policy-based issue on the lambda side of things
  • Cloudwatch does not contain any additional details on the error
  • I am able to query the database from the command line of my personal computer (not on the vpc)

Any suggestions? Perhaps there is a way to get better details out of the error?

Solution

  • Aha! After trying to connect via the command line and being able to do so successfully, I realized this had to be something non-network related. Digging into my code a bit I eventually realized there wasn't anything wrong with the connection portions of the code, but rather with the user permissions being used to create the session/service that attempted to access the data. In hindsight I suppose the explicit AccessDenied (instead of a timeout) should have been a clue that I was able to reach the database just not able to do anything with it.

    After digging in I discovered these two things are very different:

    • AmazonRDSFullAccess
    • AmazonRDSDataFullAccess

    If you want to use the data api, you have to have the AmazonRDSDataFullAccess (or similar) policy. AmazonRDSFullAccess is not a superset of the AmazonRDSDataFullAccess permissions as one might assume. (If you look at the json for the AmazonRDSFullAccess policy you'll notice the permissions cover rds:* while the other policy covers rds-data:*, so apparently these are just different permissions spaces entirely)

    TLDR: Use the AmazonRDSDataFullAccess policy (or similar) to access the data api. AmazonRDSFullAccess will not work.