I had the same issue and found your entry while googling but now I solved it. Sadly I am not certainly sure, which action actually solved it but check:

• If you don't make use of VPCs see if it works with a publicly accessible RDS, at least for testing purposes
• Grant your Role (for example lambda_basic_execution) AmazonRDSFullAccess within the Identity and Access Management area
• Within the RDS Overview of your DB instance, you can click on the chosen security group(s) to edit them: in the following window you can specify inbound and outbound traffic rules. In my working example, I allowed all traffic from all ports and all IPs (0.0.0.0/0) for both ways. Of course this is not a secure solution but regarding your example I guess that you are - like me - just getting into AWS and trying to build working examples first. You can always edit those rules later to gradually limit the traffic. I did this to test my access to the RDS via my own computer at first

I made it work without setting VPC options or API endpoints in the lambda function and established a connection via

exports.handler = function(event, context) {
var mysql      = require('mysql');
var connection = mysql.createConnection({
host     : 'hostwithoutport',
user     : 'user',
password : 'password',
database : 'database'
});

connection.query('SELECT * FROM Xy WHERE ID = "1"', function(err, rows) {
if (err) {
console.error('error connecting: ' + err.stack);
context.fail();
return;
}

console.log('connected as id ' + connection.threadId);
context.succeed(rows);
});
};

You can also do it differently but keep in mind to always succeed and fail (or done) a lambda function, preferably within an if clause after the statement. Otherwise you might get problems due to the lambda function succeeding before the query can determine the results and you do not get a proper result. If you dont end the lambda function in some way, the function itself will time out, which will however look differently.

Also remember to always end connections, this is implied by directly using a query - this method connects and ends by itself. According to what I read in a different thread, this problem could theoretically also occur due to a still open connection you once invoked.

I had the same problem as this and just got it fixed. Seeing as this is the top search result for this problem on stackoverflow, I am going to post my solution here.

This answer is for an RDS instance inside a VPC

1. place the Lambda function in the same VPC as your RDS instance

2. your lambda execution role you will need to have VPC execution policy AWSLambdaVPCAccessExecutionRole

3. assign a security group to the lambda function

4. In the security attached to the RDS instance, add an inbound rule for mysql/aurora (port 3306) and rather than adding it for an IP address add it for your lambda functions security group.

In summary this places the lambda in the same VPC as RDS and gives the lambda function inbound access to MYSQL regardless of the IP of the lambda function.

I would like to complement ajmcgarry answer as it took me some extra work to find what I needed in order to solve this problem:

1. Yes you need to create a special role for Lambda to access and control the VPC, follow this page instructions: https://docs.aws.amazon.com/lambda/latest/dg/vpc-rds-create-iam-role.html
2. Once this new role is assigned to your Lambda, you need to use the same VPC where your RDS instance is running.
3. You need to use the same Security Group in your Lambda function. First, in your RDS instance, find the Security Group, modify it & add inbound rules to access the DB port from everywhere for testing purposes.
4. Assign the Security Group that you have just modified to your Lambda function

Do you need visual instructions? This video is not too long and even if it is for Python, the instructions apply to this case: https://www.youtube.com/watch?v=-CoL5oN1RzQ

With me it was simply the security role of the RDS was limiting the incoming connection to my ip address, so naturally I was able to connect from my local machine but my lambda function couldn't, once I opened it to public (like Scherwin wrote, it's not ideal but works for testing and playing around) and redeployed my lambda function (yeah I had to redeploy the same code, not sure how that affected it) my lambda function was able to connect.

I did not need to include my lambda in the same VPC because my database is publicly accessible.

I did not need to modify or add any security roles to my lambda.