Bug #109414 mysql shell will not authenticate with AWS RDS IAM Password tokens
Submitted: 16 Dec 2022 14:56 Modified: 16 Dec 2022 20:38
Reporter: Jay Janssen Email Updates:
Status: Not a Bug Impact on me:
None 
Category:Shell General / Core Client Severity:S3 (Non-critical)
Version: OS:MacOS
Assigned to: MySQL Verification Team CPU Architecture:Any

[16 Dec 2022 14:56] Jay Janssen
Description:
I am unable to authenticate using an AWS IAM password token with mysqlsh to AWS RDS.  I can confirm I can authenticate against the same DB with mysql users using regular passwords.

AWS IAM tokens have a lifespan of only 15 minutes and are generated from an AWS API call (or the AWS CLI).  You can see the CLI doc and token examples here:  https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/generate-db-auth-to...

```
LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1 mysqlsh --ssh <jumphost> -h <hidden>.us-east-1.rds.amazonaws.com -P 3306 -u ods-eng '--password=$TOKEN' --ssl-ca=/Users/jayj/.aws/rds-combined-ca-bundle.pem --ssl-mode=VERIFY_CA
Opening SSH tunnel to <jumphost>:22...
MySQL Shell 8.0.31

Copyright (c) 2016, 2022, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.

Type '\help' or '\?' for help; '\quit' to exit.
WARNING: Using a password on the command line interface can be insecure.
Creating a session to 'ods-eng@<hidden>.us-east-1.rds.amazonaws.com:3306?ssl-ca=%2FUsers%2Fjayj%2F.aws%2Frds-combined-ca-bundle.pem&ssl-mode=verify_ca'
MySQL Error 1045 (28000): Access denied for user 'ods-eng'@'<jumphost ip>' (using password: YES)
```

https://dev.mysql.com/doc/mysql-shell/8.0/en/mysqlsh.html#option_mysqlsh_password
The mysql shell doc states that "The maximum password length that is accepted for connecting to MySQL Shell is 128 characters."

However, AWS IAM tokens are much longer:

```
~ echo $TOKEN | wc -c
    1211
```

So, if mysql-shell is truncating my password, I suspect that is the reason I am getting the 1045 error.  

NOTE: this situation does not happen with the standard mysql client.

How to repeat:
1) Have an AWS RDS instance that allows IAM token authencation
2) Create a user on that instance using AWSAuthenticationPlugin:
CREATE USER 'ods-eng'@'%' IDENTIFIED WITH 'AWSAuthenticationPlugin' AS 'RDS' REQUIRE SSL PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK
3) There's a bunch of other stuff to do that is documented in this AWS RDS manual section:  https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html that basically is setting up authentication so you can generate and use db tokens to connect.
4) Execute the equivalent of the mysqlsh connection above.  

Suggested fix:
Increase mysql shell's limit of 128, which seems arbitrarily small.
[16 Dec 2022 18:00] Alfredo Kojima
Are these tokens being passed to mysqlsh via cmdline arg or stdin/tty? The 128 char limit is for passwords typed in interactively or stdin, not cmdline ones.
[16 Dec 2022 18:13] Jay Janssen
It is command line.  In my example it's the '--password=$TOKEN' argument.  

That may suggest my issue is something else, but the manual was not clear the pw limit was only for stdin/interactive.
[16 Dec 2022 18:13] Jay Janssen
It is command line.  In my example it's the '--password=$TOKEN' argument.  

That may suggest my issue is something else, but the manual was not clear the pw limit was only for stdin/interactive.
[16 Dec 2022 19:22] Alfredo Kojima
Could you try this:

LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1 mysqlsh

mysqlsh-js> TOKEN=<the token>

mysqlsh-js> shell.connect({ssh: "<jumphost>", host: "<hidden>.us-east-1.rds.amazonaws.com", port: "3306", user: "ods-eng",  password: TOKEN, "ssl-ca":"/Users/jayj/.aws/rds-combined-ca-bundle.pem", "ssl-mode": "VERIFY_CA"})

Also, just to be sure, you meant "--password=$TOKEN" right? Or does your shell substitute $vars inside 'single quotes' too?
[16 Dec 2022 19:49] Jay Janssen
ok, you got me.  It does work fine with your method, as well as on the cli if I properly quote my password argument.  Sorry for the noise!

While I have your attention, I would potentially be interested in implementing an RDS credential helper or something that would do the AWS get/cache tokens for me.  Any pointers?
[16 Dec 2022 20:37] Alfredo Kojima
No problem!

There's an explanation and an overview of how to write a custom one here: https://dev.mysql.com/blog-archive/mysql-shell-8-0-12-storing-mysql-passwords-securely/