I'm following http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html in order to authenticate from an EC2 to RDS. I am able to run the generate-db-auth-token
command to retrieve a token, but I'm not sure what to do with it after that (the instructions inexplicably end).
I've tried simply passing the regurgitated string (as well as logical substrings of the returned fields) as the password of a mysql client connection, but this doesn't seem to work..
The returned token is in the following form: {instance identifier}.{region}.rds.amazonaws.com:3306/?Action=connect&DBUser={auth db username}&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=900&X-Amz-Date=20170622T221608Z&X-Amz-SignedHeaders=host&X-Amz-Security-Token={super long, web-escaped string containing special characters}&X-Amz-Credential={some shorter, web-escaped string containing special characters}&X-Amz-Signature={some long string of alphanumeric characters}
Any help is greatly appreciated.
I have the same issue, I'm using a php app and trying to use CLI to assure it's working before adding code modifications.
I found this way but I still get 'Access Denied', maybe it works for you:
Update: This is working for me now, I had another issue with the role policy.
Adding more to answer provided above (Thank you Safaa Selim)
Step 1: Get Cert from http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html (Cert link https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem)
Step 2: Add user to DB by using root account on RDS (http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html) CREATE USER mydbuser IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS';
Step 3: Make sure you have ~/.aws/credentials and ~/.aws/profile with mydbuser
Step 4: Attach Policy to the User/Role from http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds-db:connect" ], "Resource": [ "arn:aws:rds-db:us-west-2:12345678:dbuser:*/mydbuser" ] } ] }
Step 4: