Connecting to your DB instance using IAM authentication from the command line: AWS CLI and mysql client
You can connect from the command line to an
Amazon RDS DB instance
with the AWS CLI and mysql
command line tool as described
following.
Prerequisites
The following are prerequisites for connecting to your DB instance using IAM authentication:
Note
For information about connecting to your database using SQL Workbench/J with IAM authentication,
see the blog post Use IAM authentication to connect with SQL Workbench/J to Aurora MySQL or Amazon RDS for MySQL
Generating an IAM authentication token
The following example shows how to get a signed authentication token using the AWS CLI.
aws rds generate-db-auth-token \ --hostname
rdsmysql.123456789012.us-west-2.rds.amazonaws.com
\ --port3306
\ --regionus-west-2
\ --usernamejane_doe
In the example, the parameters are as follows:
-
--hostname
– The host name of the DB instance that you want to access -
--port
– The port number used for connecting to your DB instance -
--region
– The AWS Region where the DB instance is running -
--username
– The database account that you want to access
The first several characters of the token look like the following.
rdsmysql.123456789012.us-west-2.rds.amazonaws.com:3306/?Action=connect&DBUser=jane_doe&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=900...
Note
You cannot use a custom Route 53 DNS record instead of the DB instance endpoint to generate the authentication token.
Connecting to a DB instance
The general format for connecting is shown following.
mysql --host=
hostName
--port=portNumber
--ssl-ca=full_path_to_ssl_certificate
--enable-cleartext-plugin --user=userName
--password=authToken
The parameters are as follows:
-
--host
– The host name of the DB instance that you want to access -
--port
– The port number used for connecting to your DB instance -
--ssl-ca
– The full path to the SSL certificate file that contains the public keyFor more information about SSL/TLS support for MariaDB, see SSL/TLS support for MariaDB DB instances on Amazon RDS.
For more information about SSL/TLS support for MySQL, see SSL/TLS support for MySQL DB instances on Amazon RDS.
To download an SSL certificate, see Using SSL/TLS to encrypt a connection to a DB instance or cluster.
-
--enable-cleartext-plugin
– A value that specifies thatAWSAuthenticationPlugin
must be used for this connectionIf you are using a MariaDB client, the
--enable-cleartext-plugin
option isn't required. -
--user
– The database account that you want to access -
--password
– A signed IAM authentication token
The authentication token consists of several hundred characters. It can be
unwieldy on the command line. One way to work around this is to save the token
to an environment variable, and then use that variable when you connect. The
following example shows one way to perform this workaround. In the example, /sample_dir/
is the full path to the SSL certificate file that contains the public key.
RDSHOST="
mysqldb.123456789012.us-east-1.rds.amazonaws.com
" TOKEN="$(aws rds generate-db-auth-token --hostname $RDSHOST --port3306
--regionus-west-2
--usernamejane_doe
)" mysql --host=$RDSHOST --port=3306
--ssl-ca=/sample_dir/
global-bundle.pem --enable-cleartext-plugin --user=jane_doe
--password=$TOKEN
When you connect using AWSAuthenticationPlugin
, the connection is
secured using SSL. To verify this, type the following at the mysql>
command prompt.
show status like 'Ssl%';
The following lines in the output show more details.
+---------------+-------------+ | Variable_name | Value | +---------------+-------------+ | ... | ... | Ssl_cipher | AES256-SHA | | ... | ... | Ssl_version | TLSv1.1 | | ... | ... +-----------------------------+
If you want to connect to a DB instance through a proxy, see Connecting to a proxy using IAM authentication.