Bug #109414 | mysql shell will not authenticate with AWS RDS IAM Password tokens | ||
---|---|---|---|
Submitted: | 16 Dec 2022 14:56 | Modified: | 16 Dec 2022 20:38 |
Reporter: | Jay Janssen | Email Updates: | |
Status: | Not a Bug | Impact on me: | |
Category: | Shell General / Core Client | Severity: | S3 (Non-critical) |
Version: | OS: | MacOS | |
Assigned to: | MySQL Verification Team | CPU Architecture: | Any |
[16 Dec 2022 14:56]
Jay Janssen
[16 Dec 2022 18:00]
Alfredo Kojima
Are these tokens being passed to mysqlsh via cmdline arg or stdin/tty? The 128 char limit is for passwords typed in interactively or stdin, not cmdline ones.
[16 Dec 2022 18:13]
Jay Janssen
It is command line. In my example it's the '--password=$TOKEN' argument. That may suggest my issue is something else, but the manual was not clear the pw limit was only for stdin/interactive.
[16 Dec 2022 18:13]
Jay Janssen
It is command line. In my example it's the '--password=$TOKEN' argument. That may suggest my issue is something else, but the manual was not clear the pw limit was only for stdin/interactive.
[16 Dec 2022 19:22]
Alfredo Kojima
Could you try this: LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1 mysqlsh mysqlsh-js> TOKEN=<the token> mysqlsh-js> shell.connect({ssh: "<jumphost>", host: "<hidden>.us-east-1.rds.amazonaws.com", port: "3306", user: "ods-eng", password: TOKEN, "ssl-ca":"/Users/jayj/.aws/rds-combined-ca-bundle.pem", "ssl-mode": "VERIFY_CA"}) Also, just to be sure, you meant "--password=$TOKEN" right? Or does your shell substitute $vars inside 'single quotes' too?
[16 Dec 2022 19:49]
Jay Janssen
ok, you got me. It does work fine with your method, as well as on the cli if I properly quote my password argument. Sorry for the noise! While I have your attention, I would potentially be interested in implementing an RDS credential helper or something that would do the AWS get/cache tokens for me. Any pointers?
[16 Dec 2022 20:37]
Alfredo Kojima
No problem! There's an explanation and an overview of how to write a custom one here: https://dev.mysql.com/blog-archive/mysql-shell-8-0-12-storing-mysql-passwords-securely/