cloudpack大阪の佐々木です。
RDSの認証をIAMでできるという話です。
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html
基本的な設定はこちらを参照
http://qiita.com/Pampus/items/18b45330b990927652fd
認証に必要なTokenをaws-cliで取得できるようになってました。
aws-cliをアップデートします。
$ sudo pip install -U awscli $ aws --version aws-cli/1.11.81 Python/2.7.12 Linux/4.9.17-8.31.amzn1.x86_64 botocore/1.5.44
aws rds generate-db-auth-token
コマンドが使えるようになっています。
NAME generate-db-auth-token - DESCRIPTION Generates an auth token used to connect to a db with IAM credentials. SYNOPSIS generate-db-auth-token --hostname--port --username OPTIONS --hostname (string) The hostname of the database to connect to. --port (integer) The port number the database is listening on. --username (string) The username to log in as.
実行するとトークンが発行されます。
$ aws rds generate-db-auth-token --hostname test.xxxxxxxxxx.ap-northeast-1.rds.amazonaws.com --port 3306 --username testuser --region ap-northeast-1 test.xxxxxxxxxx.ap-northeast-1.rds.amazonaws.com:3306/?Action=connect&DBUser=testuser&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=900&X-Amz-Date=20170427T134947Z&X-Amz-SignedHeaders=host&X-Amz-Security-Token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&X-Amz-Credential=xxxxxxxxxxxxxxxxxxxxxx2Faws4_request&X-Amz-Signature=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
これをパスワードにして接続します。
$ mysql -u testuser -h test.xxxxxxxxxxxx.ap-northeast-1.rds.amazonaws.com -p`aws rds generate-db-auth-token --hostname test.xxxxxxxxxxxx.ap-northeast-1.rds.amazonaws.com --port 3306 --username testuser --region ap-northeast-1` --ssl-ca=rds-combined-ca-bundle.pem
ERROR 2059 (HY000): Authentication plugin 'mysql_clear_password' cannot be loaded: plugin not enabled
んん?
--enable-cleartext-plugin
ってのがいるらしいです。
https://dev.mysql.com/doc/refman/5.6/ja/cleartext-authentication-plugin.html
$ mysql -u testuser -h test.xxxxxxxxxxx.ap-northeast-1.rds.amazonaws.com -p`aws rds generate-db-auth-token --hostname test.xxxxxxxxxx.ap-northeast-1.rds.amazonaws.com --port 3306 --username testuser --region ap-northeast-1` --ssl-ca=rds-combined-ca-bundle.pem --enable-cleartext-plugin
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 711 Server version: 5.7.16-log MySQL Community Server (GPL) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>