Menu
Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Command Line: AWS CLI and mysql Client

You can connect from the command line to an RDS DB instance or Aurora DB cluster with the AWS CLI and mysql command line tool as described following.

Generating an Authentication Token

The following example shows how to get a signed authentication token using the AWS CLI.

aws rds generate-db-auth-token \ --hostname rdsmysql.cdgmuqiadpid.us-west-2.rds.amazonaws.com \ --port 3306 \ --region us-west-2 \ --username jane_doe

In the example, the parameters are as follows:

  • --hostname — The host name of the DB instance or DB cluster that you want to access.

  • --port — The port number used for connecting to the DB instance or DB cluster.

  • --region — The AWS Region where the DB instance or DB cluster is running.

  • --username — The database account that you want to access.

The first several characters of the token look like the following.

rdsmysql.cdgmuqiadpid.us-west-2.rds.amazonaws.com:3306/?Action=connect&DBUser=jane_doe&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=900...

Connecting to a DB Instance or DB Cluster

The general format for connecting is shown following.

mysql --host=hostName --port=portNumber --ssl-ca=[full path]rds-combined-ca-bundle.pem --enable-cleartext-plugin --user=userName --password=authToken

The parameters are as follows:

  • --host — The host name of the DB instance or DB cluster that you want to access.

  • --port — The port number used for connecting to the DB instance or DB cluster.

  • --ssl-ca — The SSL certificate file that contains the public key. For more information, see Using SSL to Encrypt a Connection to a DB Instance.

  • --enable-cleartext-plugin — A value that specifies that AWSAuthenticationPlugin must be used for this connection.

  • --user — The database account that you want to access.

  • --password — A signed IAM authentication token.

The authentication token consists of several hundred characters. It can be unwieldy on the command line. One way to work around this is to save the token to an environment variable, and then use that variable when you connect. The following example shows one way to perform this workaround.

RDSHOST="rdsmysql.cdgmuqiadpid.us-west-2.rds.amazonaws.com" TOKEN="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 3306 --username jane_doe )" mysql --host=$RDSHOST --port=3306 --ssl-ca=/sample_dir/rds-combined-ca-bundle.pem --enable-cleartext-plugin --user=jane_doe --password=$TOKEN

When you connect using AWSAuthenticationPlugin, the connection is secured using SSL. To verify this, type the following at the mysql> command prompt.

show status like 'Ssl%';

The following lines in the output show more details.

+---------------+-------------+ | Variable_name | Value | +---------------+-------------+ | ... | ... | Ssl_cipher | AES256-SHA | | ... | ... | Ssl_version | TLSv1.1 | | ... | ... +-----------------------------+