IAM Database Authentication - How to use CLI generated Token

Question

I'm following http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html in order to authenticate from an EC2 to RDS. I am able to run the generate-db-auth-token command to retrieve a token, but I'm not sure what to do with it after that (the instructions inexplicably end).

I've tried simply passing the regurgitated string (as well as logical substrings of the returned fields) as the password of a mysql client connection, but this doesn't seem to work..

The returned token is in the following form: {instance identifier}.{region}.rds.amazonaws.com:3306/?Action=connect&DBUser={auth db username}&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=900&X-Amz-Date=20170622T221608Z&X-Amz-SignedHeaders=host&X-Amz-Security-Token={super long, web-escaped string containing special characters}&X-Amz-Credential={some shorter, web-escaped string containing special characters}&X-Amz-Signature={some long string of alphanumeric characters}

Any help is greatly appreciated.

Answer 1

I have the same issue, I'm using a php app and trying to use CLI to assure it's working before adding code modifications.

I found this way but I still get 'Access Denied', maybe it works for you:

$ mysql -u iam_user -h iamtest.xxxxxxxxxxxx.ap-northeast-1.rds.amazonaws.com \
--password=`aws rds generate-db-auth-token --hostname iamtest.xxxxxxxxxxxx.ap-northeast-1.rds.amazonaws.com \
--port 3306 \
--username iam_user \
--region ap-northeast-1` \
--ssl-ca=/Users/hoge/rds-combined-ca-bundle.pem \
--enable-cleartext-plugin

Update: This is working for me now, I had another issue with the role policy.

Answer 2

Adding more to answer provided above (Thank you Safaa Selim)

Step 1: Get Cert from http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html (Cert link https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem)

Step 2: Add user to DB by using root account on RDS (http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html) CREATE USER mydbuser IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS';

Step 3: Make sure you have ~/.aws/credentials and ~/.aws/profile with mydbuser

Step 4: Attach Policy to the User/Role from http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds-db:connect" ], "Resource": [ "arn:aws:rds-db:us-west-2:12345678:dbuser:*/mydbuser" ] } ] }

Step 4:

mysql -u mydbuser -h dbinstance.us-west-2.rds.amazonaws.com --password=`aws --profile=mydbuser rds generate-db-auth-token --hostname dbinstance.us-west-2.rds.amazonaws.com --port 3306 --region us-west-2 --username mydbuser` --ssl-ca=/path/to/rds-combined-ca-bundle.pem --enable-cleartext-plugin