All geek questions in one place

IAM Database Identification - How to use the token created by the CLI

I am following http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html for authentication from EC2 to RDS. I can run the command generate-db-auth-tokento get the token, but I'm not sure what to do with it after that (the instructions inexplicably end).

I tried just passing the alternating string (as well as the logical substrings of the returned fields) as the mysql client connection password, but this does not seem to work.

The returned token has the following form: {instance identifier}.{region}.rds.amazonaws.com:3306/?Action=connect&DBUser={auth db username}&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=900&X-Amz-Date=20170622T221608Z&X-Amz-SignedHeaders=host&X-Amz-Security-Token={super long, web-escaped string containing special characters}&X-Amz-Credential={some shorter, web-escaped string containing special characters}&X-Amz-Signature={some long string of alphanumeric characters}

Any help is greatly appreciated.

+4
source share
2

, php CLI, .

, "Access Denied", , :

$ mysql -u iam_user -h iamtest.xxxxxxxxxxxx.ap-northeast-1.rds.amazonaws.com \
--password=`aws rds generate-db-auth-token --hostname iamtest.xxxxxxxxxxxx.ap-northeast-1.rds.amazonaws.com \
--port 3306 \
--username iam_user \
--region ap-northeast-1` \
--ssl-ca=/Users/hoge/rds-combined-ca-bundle.pem \
--enable-cleartext-plugin

Update: , .

+3

, (, )

1: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html ( Cert https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem)

2: root RDS (http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html) mydbuser AWSAuthenticationPlugin "RDS";

3. , ~/.aws/credentials ~/.aws/profile mydbuser.

4. / http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html

{   "": "2012-10-17",   "": [     {         "": "",         "": [             "-: "        ],         "": [             "ARN: AWS: -DB: --2: 12345678: DbUser: */mydbuser"        ]     }  ] }

4:

mysql -u mydbuser -h dbinstance.us-west-2.rds.amazonaws.com --password = `aws -profile = mydbuser rds generate-db-auth-token --hostname dbinstance.us-west- 2.rds.amazonaws.com --port 3306 --region us-west-2 --username mydbuser` --ssl-ca =/path/to/rds-combination-ca-bundle.pem --enable-cleartext-

+2

Source: https://habr.com/ru/post/1679923/

More articles:


All Articles