LoginSignup
5
2

More than 5 years have passed since last update.

@taishin

RDSのIAM認証 (aws−cli編) 【cloudpack大阪ブログ】

Last updated at Posted at 2017-04-27

cloudpack大阪の佐々木です。

RDSの認証をIAMでできるという話です。
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html

基本的な設定はこちらを参照
http://qiita.com/Pampus/items/18b45330b990927652fd

認証に必要なTokenをaws-cliで取得できるようになってました。

aws-cliをアップデートします。

$ sudo pip install -U awscli
$ aws --version
aws-cli/1.11.81 Python/2.7.12 Linux/4.9.17-8.31.amzn1.x86_64 botocore/1.5.44

aws rds generate-db-auth-token コマンドが使えるようになっています。

NAME
       generate-db-auth-token -

DESCRIPTION
       Generates an auth token used to connect to a db with IAM credentials.

SYNOPSIS
            generate-db-auth-token
          --hostname <value>
          --port <value>
          --username <value>

OPTIONS
       --hostname (string) The hostname of the database to connect to.

       --port (integer) The port number the database is listening on.

       --username (string) The username to log in as.

実行するとトークンが発行されます。

$ aws rds generate-db-auth-token --hostname test.xxxxxxxxxx.ap-northeast-1.rds.amazonaws.com --port 3306 --username testuser --region ap-northeast-1
test.xxxxxxxxxx.ap-northeast-1.rds.amazonaws.com:3306/?Action=connect&DBUser=testuser&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=900&X-Amz-Date=20170427T134947Z&X-Amz-SignedHeaders=host&X-Amz-Security-Token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&X-Amz-Credential=xxxxxxxxxxxxxxxxxxxxxx2Faws4_request&X-Amz-Signature=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

これをパスワードにして接続します。

$ mysql -u testuser -h test.xxxxxxxxxxxx.ap-northeast-1.rds.amazonaws.com -p`aws rds generate-db-auth-token --hostname test.xxxxxxxxxxxx.ap-northeast-1.rds.amazonaws.com --port 3306 --username testuser --region ap-northeast-1` --ssl-ca=rds-combined-ca-bundle.pem

ERROR 2059 (HY000): Authentication plugin 'mysql_clear_password' cannot be loaded: plugin not enabled

んん?

--enable-cleartext-plugin ってのがいるらしいです。
https://dev.mysql.com/doc/refman/5.6/ja/cleartext-authentication-plugin.html

$ mysql -u testuser -h test.xxxxxxxxxxx.ap-northeast-1.rds.amazonaws.com -p`aws rds generate-db-auth-token --hostname test.xxxxxxxxxx.ap-northeast-1.rds.amazonaws.com --port 3306 --username testuser --region ap-northeast-1` --ssl-ca=rds-combined-ca-bundle.pem --enable-cleartext-plugin

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 711
Server version: 5.7.16-log MySQL Community Server (GPL)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>
5
2
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
5
2