Connecting to a DB instance running the MySQL database engine - Amazon Relational Database Service

Connecting to a DB instance running the MySQL database engine

Before you can connect to a DB instance running the MySQL database engine, you must create a DB instance. For information, see Creating an Amazon RDS DB instance. After Amazon RDS provisions your DB instance, you can use any standard MySQL client application or utility to connect to the instance. In the connection string, you specify the DNS address from the DB instance endpoint as the host parameter, and specify the port number from the DB instance endpoint as the port parameter.

To authenticate to your RDS DB instance, you can use one of the authentication methods for MySQL and AWS Identity and Access Management (IAM) database authentication:

You can connect to a MySQL DB instance by using tools like the MySQL command-line client. For more information on using the MySQL command-line client, see mysql - the MySQL command-line client in the MySQL documentation. One GUI-based application you can use to connect is MySQL Workbench. For more information, see the Download MySQL Workbench page. For information about installing MySQL (including the MySQL command-line client), see Installing and upgrading MySQL.

Most Linux distributions include the MariaDB client instead of the Oracle MySQL client. To install the MySQL command-line client on most RPM-based Linux distributions, including Amazon Linux 2, run the following command:

yum install mariadb

To install the MySQL command-line client on most DEB-based Linux distributions, run the following command:

apt-get install mariadb-client

To check the version of your MySQL command-line client, run the following command:

mysql --version

To read the MySQL documentation for your current client version, run the following command:

man mysql

To connect to a DB instance from outside of its Amazon VPC, the DB instance must be publicly accessible, access must be granted using the inbound rules of the DB instance's security group, and other requirements must be met. For more information, see Can't connect to Amazon RDS DB instance.

You can use Secure Sockets Layer (SSL) encryption on connections to a MySQL DB instance. For information, see Using SSL with a MySQL DB instance. If you are using AWS Identity and Access Management (IAM) database authentication, make sure to use an SSL connection. For information, see IAM database authentication for MySQL and PostgreSQL.

You can also connect to a DB instance from a web server. For more information, see Tutorial: Create a web server and an Amazon RDS DB instance.

Note

For information on connecting to a MariaDB DB instance, see Connecting to a DB instance running the MariaDB database engine.

Finding the connection information for a MySQL DB instance

The connection information for a DB instance includes its endpoint, port, and a valid database user, such as the master user. For example, suppose that an endpoint value is mydb.123456789012.us-east-1.rds.amazonaws.com. In this case, the port value is 3306, and the database user is admin. Given this information, you specify the following values in a connection string:

  • For host or host name or DNS name, specify mydb.123456789012.us-east-1.rds.amazonaws.com.

  • For port, specify 3306.

  • For user, specify admin.

To connect to a DB instance, use any client for the MySQL DB engine. For example, you might use the MySQL command-line client or MySQL Workbench.

To find the connection information for a DB instance, you can use the AWS Management Console, the AWS CLI describe-db-instances command, or the Amazon RDS API DescribeDBInstances operation to list its details.

To find the connection information for a DB instance in the AWS Management Console

  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. In the navigation pane, choose Databases to display a list of your DB instances.

  3. Choose the name of the MySQL DB instance to display its details.

  4. On the Connectivity & security tab, copy the endpoint. Also, note the port number. You need both the endpoint and the port number to connect to the DB instance.

    
                                The endpoint and port of a DB instance
  5. If you need to find the master user name, choose the Configuration tab and view the Master username value.

To find the connection information for a MySQL DB instance by using the AWS CLI, call the describe-db-instances command. In the call, query for the DB instance ID, endpoint, port, and master user name.

For Linux, macOS, or Unix:

aws rds describe-db-instances \ --filters "Name=engine,Values=mysql" \ --query "*[].[DBInstanceIdentifier,Endpoint.Address,Endpoint.Port,MasterUsername]"

For Windows:

aws rds describe-db-instances ^ --filters "Name=engine,Values=mysql" ^ --query "*[].[DBInstanceIdentifier,Endpoint.Address,Endpoint.Port,MasterUsername]"

Your output should be similar to the following.

[ [ "mydb1", "mydb1.123456789012.us-east-1.rds.amazonaws.com", 3306, "admin" ], [ "mydb2", "mydb2.123456789012.us-east-1.rds.amazonaws.com", 3306, "admin" ] ]

To find the connection information for a DB instance by using the Amazon RDS API, call the DescribeDBInstances operation. In the output, find the values for the endpoint address, endpoint port, and master user name.

Connecting from the MySQL command-line client (unencrypted)

Important

Only use an unencrypted MySQL connection when the client and server are in the same VPC and the network is trusted. For information about using encrypted connections, see Connecting from the MySQL command-line client with SSL (encrypted).

To connect to a DB instance using the MySQL command-line client, enter the following command at a command prompt to connect to a DB instance using the MySQL command-line client. For the -h parameter, substitute the DNS name (endpoint) for your DB instance. For the -P parameter, substitute the port for your DB instance. For the -u parameter, substitute the user name of a valid database user, such as the master user. Enter the master user password when prompted.

mysql -h mysql–instance1.123456789012.us-east-1.rds.amazonaws.com -P 3306 -u mymasteruser -p

After you enter the password for the user, you should see output similar to the following.

Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 350 Server version: 5.6.40-log MySQL Community Server (GPL) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql>

Connecting from the MySQL command-line client with SSL (encrypted)

Amazon RDS creates an SSL certificate for your DB instance when the instance is created. If you enable SSL certificate verification, then the SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks. To connect to your DB instance using SSL, you can use native password authentication or IAM database authentication. To connect to your DB instance using IAM database authentication, see IAM database authentication for MySQL and PostgreSQL. To connect to your DB instance using native password authentication, you can follow these steps:

To connect to a DB instance with SSL using the MySQL command-line client

  1. Download a root certificate that works for all AWS Regions.

    For information about downloading certificates, see Using SSL/TLS to encrypt a connection to a DB instance.

  2. Enter the following command at a command prompt to connect to a DB instance with SSL using the MySQL command-line client. For the -h parameter, substitute the DNS name (endpoint) for your DB instance. For the --ssl-ca parameter, substitute the SSL certificate file name as appropriate. For the -P parameter, substitute the port for your DB instance. For the -u parameter, substitute the user name of a valid database user, such as the master user. Enter the master user password when prompted.

    mysql -h mysql–instance1.123456789012.us-east-1.rds.amazonaws.com --ssl-ca=global-bundle.pem -P 3306 -u mymasteruser -p
  3. You can require that the SSL connection verifies the DB instance endpoint against the endpoint in the SSL certificate.

    For MySQL 5.7 and later:

    mysql -h mysql–instance1.123456789012.us-east-1.rds.amazonaws.com --ssl-ca=global-bundle.pem --ssl-mode=VERIFY_IDENTITY -P 3306 -u mymasteruser -p

    For MySQL 5.6 and earlier:

    mysql -h mysql–instance1.123456789012.us-east-1.rds.amazonaws.com --ssl-ca=global-bundle.pem --ssl-verify-server-cert -P 3306 -u mymasteruser -p
  4. Enter the master user password when prompted.

You will see output similar to the following.

Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 350 Server version: 5.6.40-log MySQL Community Server (GPL) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql>

Connecting from MySQL Workbench

To connect from MySQL Workbench

  1. Download and install MySQL Workbench at Download MySQL Workbench.

  2. Open MySQL Workbench.

    
                        MySQL Workbench
  3. From Database, choose Manage Connections.

  4. In the Manage Server Connections window, choose New.

  5. In the Connect to Database window, enter the following information:

    • Stored Connection – Enter a name for the connection, such as MyDB.

    • Hostname – Enter the DB instance endpoint.

    • Port – Enter the port used by the DB instance.

    • Username – Enter the user name of a valid database user, such as the master user.

    • Password – Optionally, choose Store in Vault and then enter and save the password for the user.

    The window looks similar to the following:

    
                        MySQL Workbench Connection window

    You can use the features of MySQL Workbench to customize connections. For example, you can use the SSL tab to configure SSL connections. For information about using MySQL Workbench, see the MySQL Workbench documentation.

  6. Optionally, choose Test Connection to confirm that the connection to the DB instance is successful.

  7. Choose Close.

  8. From Database, choose Connect to Database.

  9. From Stored Connection, choose your connection.

  10. Choose OK.

Troubleshooting connections to your MySQL DB instance

Two common causes of connection failures to a new DB instance are:

  • The DB instance was created using a security group that doesn't authorize connections from the device or Amazon EC2 instance where the MySQL application or utility is running. If the DB instance was created in a VPC, it must have a VPC security group that authorizes the connections. For more information, see Amazon Virtual Private Cloud VPCs and Amazon RDS.

    You can add or edit an inbound rule in the security group. For Source, choose My IP. This allows access to the DB instance from the IP address detected in your browser.

    If the DB instance was created outside of a VPC, it must have a DB security group that authorizes the connections.

  • The DB instance was created using the default port of 3306, and your company has firewall rules blocking connections to that port from devices in your company network. To fix this failure, recreate the instance with a different port.

For more information on connection issues, see Can't connect to Amazon RDS DB instance.