问题
Would like to inform upfront that I am new to AWS in general. For my project I am trying to use AWS RDS MySQL using IAM Authentication (IAM Role) from a Java application deployed on Tomcat on an EC2 instance. Before trying it from Java I am trying it from the command prompt on the EC2 instance. I am following this link to do it:
https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/
I have done the following so far (please pardon if I am not using correct terminologies):
- MySQL using AWS RDS
- Enabled IAM Authentication on my MySQL instance
- Created IAM Role for EC2
Created an inline policy for the above IAM Role and granted required "Action". Also included the "Resources" (my database's endpoint with username), as below:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds-db:connect" ], "Resource": [ "arn:aws:rds-db:<my-region>:<my-account-id>:dbuser:<my-db-resource-id>/<my-db-username>" ] } ] }Assigned this IAM Role to an EC2 instance I have created
I followed everything given in the link at the top and everything seem to work except for the last command.
As in the link I created DB user as below:
CREATE USER dev_user IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS';
The last command in the link that is not working is:
mysql -h {db or cluser endpoint} --ssl-ca={certificate file name with complete path} --ssl-verify-server-cert -u {dbusername2} -p"{authenticationtoken}" --enable-cleartext-plugin
Every time I run this command it asks for the password and then I am getting an error. I am at a loss on how to resolve it.
In the above mysql command if I pass my master user-id (I created it as 'admin') and enter it's password I get an error like this:
[ec2-user@ip-xxx-xx-xx-16 ~]$ mysql -h <endpoint of my RDS DB instance> --ssl-ca=rds-combined-ca-bundle.pem --ssl-verify-server-cert -u admin -p 'aws rds generate-db-auth-token --hostname <endpoint of my RDS DB instance> --port 3306 --username dev_user' --enable-cleartext-plugin
Enter password: ERROR 1059 (42000): Identifier name 'aws rds generate-db-auth-token --hostname --port' is too long
And if in the same command I provide the above created DB user (dev_user). I get the following error if provide "dev_user" as user in the command and whether I enter a password or not. [In this case, the above link did not set a password so what should I do when it asks to enter the password?]:
[ec2-user@ip-xxx-xx-xx-16 ~]$ mysql -h <endpoint of my RDS DB instance> --ssl-ca=rds-combined-ca-bundle.pem --ssl-verify-server-cert -u dev_user -p 'aws rds generate-db-auth-token --hostname <endpoint of my RDS DB instance> --port 3306 --username dev_user' --enable-cleartext-plugin
Enter password: ERROR 1045 (28000): Access denied for user 'dev_user'@'xxx.xx.xx.16' (using password: YES)
I get the same "Access denied..." error when I enter "admin" in both places in the command above.
Any help will be highly appreciated.
Thank you.
回答1:
First of all, there shouldn't be space after -p parameter.
Second, if you want to execute aws rds generate-db-auth-token... inline, it should be marked with ticks, not single quotes.
mysql -h <endpoint of my RDS DB instance> --ssl-ca=rds-combined-ca-bundle.pem --ssl-verify-server-cert -u dev_user -p`aws rds generate-db-auth-token --hostname <endpoint of my RDS DB instance> --port 3306 --username dev_user` --enable-cleartext-plugin
来源:https://stackoverflow.com/questions/50383753/aws-rds-mysql-connection-using-iam-role-is-not-working