1. Anuncie Aqui ! Entre em contato fdantas@4each.com.br

[Python] How to authenticate in MySQL RDS using IAM DB Authentication and Python

Discussão em 'Python' iniciado por Stack, Setembro 12, 2024.

  1. Stack

    Stack Membro Participativo

    I have an AWS RDS DB running MySQL 5.6.39, with IAM DB Authentication Enabled.

    First of all, I completed with success the Tutorial: Configuring a Lambda Function to Access Amazon RDS in an Amazon VPC and this was my starting point for the next steps.

    I want to log in with IAM credentials and so, following this and this tutorials, I did:


    1. When I created the RDS MySQL instance, I selected Enabling IAM database authentication.


    2. Created a user named lambda:

      CREATE USER 'lambda' IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS';
      GRANT ALL PRIVILEGES ON test_db.* TO 'lambda'@'%';
      FLUSH PRIVILEGES;

    3. Created an IAM policy, and attached it to the role I was using as an Execution role for my lambda function:

      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Effect": "Allow",
      "Action": [
      "rds-db:connect"
      ],
      "Resource": [
      "<DB-ARN>/lambda"
      ]
      }
      ]
      }

    4. Created a lambda function:

      import sys
      import boto3
      import logging
      import pymysql

      #rds settings
      rds_host = "<RDS-ENDPOINT>"
      username = "lambda"
      db_name = "test_db"

      logger = logging.getLogger()
      logger.setLevel(logging.INFO)

      client = boto3.client('rds',region_name='eu-west-2')
      token = client.generate_db_auth_token(rds_host,3306, name)
      ssl = {'ca': 'rds-combined-ca-bundle.pem'}
      logger.info("token: "+ token)

      conn = pymysql.connect(rds_host, user=username, passwd=token, db=db_name, connect_timeout=5, ssl=ssl)

      logger.info("SUCCESS: Connection to RDS mysql instance succeeded")
      def handler(event, context):
      ...

    5. I got the following error:

      error: (1045, "Access denied for user 'lambda'@'<LAMBDA_IP>' (using password: YES)")

    In an attempt to find If it was a python error I used AWS CLI, from an EC2 instance with the policy attached.


    1. Get the token:

      aws rds generate-db-auth-token --hostname <RDS-ENDPOINT> --port 3306 --username lambda

    2. Connect to the DB, using the token I got in the last step:

      mysql -h <RDS-ENDPOINT> -u lambda --enable-cleartext-plugin --password='<TOKEN>'

    3. I got the same error:

      mysql: [Warning] Using a password on the command line interface can be insecure.
      ERROR 1045 (28000): Access denied for user 'lambda'@'<EC2_IP>' (using password: YES)

    Continue reading...

Compartilhe esta Página