使用IAM设置RDS(MySQL)数据库访问以生成访问令牌 [英] Setting up RDS (MySQL) database access using IAM to generate access tokens

问题描述

我已经按照说明设置了AWS和MySQL，因此我应该能够使用mysql-client和一个没有密码但带有aws_iam)登录mysql >，并将角色附加到我的EC2实例上.

I have followed the instructions to set up AWS and MySQL such that I should be able to sign in to mysql using mysql-client and a user (named aws_iam) without a password, but with a token generated by awscli with the role attached to my EC2 instance.

说明在这里

所以我有:

• 具有允许我生成RDS凭据的角色的EC2实例
• 运行MySQL的RDS实例，用户为aws_iam，由AWSAuthenticationPlugin
标识
• 通过SSH登录EC2实例时，我可以运行mysql -h mydb.randomstring.region.rds.amazonaws.com -u root -p并从RDS设置中输入主密码以获得mysql shell.
• 此外，当通过SSH登录EC2实例时，我可以运行aws rds generate-db-auth-token --hostname mydb.randomstring.region.rds.amazonaws.com --port 3306 --username aws_iam，并且在运行时，我会得到一个如下所示的令牌:

• An EC2 instance with a role which allows me to generate RDS credentials
• An RDS instance running MySQL, with a user aws_iam which is identified by AWSAuthenticationPlugin
• When signed in to the EC2 instance via SSH I can run mysql -h mydb.randomstring.region.rds.amazonaws.com -u root -p and enter the master password from the RDS set up to get a mysql shell.
• Also when signed in to the EC2 instance via SSH I can run aws rds generate-db-auth-token --hostname mydb.randomstring.region.rds.amazonaws.com --port 3306 --username aws_iam and when running this I get a token that looks like this:

mydb.randomstring.region.rds.amazon.aws.com:port-number/?Action=connect&DBUser=aws_iam&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=900&X-Amz-Date=current_time&X-Amz-SignedHeaders=host&X-Amz-Security-Token=really-long-url-encoded-string&X-Amz-Credential=string/region/rds-db/aws4_request&X-Amz-Signature=long-hash

然后我运行一个连接命令:

Then I run a connection command:

mysql -h mydb.randomstring.region.rds.amazonaws.com --ssl-ca=rds-ca-2015-eu-west-1.pem --ssl-mode=VERIFY_IDENTITY -u aws_iam --enable-cleartext-plugin --password=TOKEN

但是后来我得到了

ERROR 1045 (28000): Access denied for user 'aws_iam'@IP (using password: YES)

我注意到的几件事:

• 令牌"最初是url编码的；但是解码它也不起作用
• 该令牌具有许多采用url格式的参数；这些参数中可能只有一个是实际的令牌，但这在文档中没有提到
• 如果您的EC2角色没有"rds-db"的策略，您仍然可以生成令牌.这可能意味着令牌生成并不能证明您的策略有效.但是除此之外，没有其他方法可以调试

那么有人启用了这个功能吗，我错过了什么吗?

So has anybody enabled this and is there something I have missed?

推荐答案

该文档确实稀疏.

乍一看似乎很荒谬，但看起来像整件事(带有url转义)是身份验证令牌" ...您只需要将其用'单引号括起来命令行.

As preposterous as it seems at first glance, it looks like the whole thing, complete with its url-escaping, is the "authentication token"... you'd just need to enclose it in ' single quotes on the command line.

这就是我得出这个结论的方式:

Here's how I arrived at that conclusion:

尝试解决此问题的第一步是检查RDS API参考.没有GetDbAuthToken操作.很好奇.

My first step trying to work this out was to check the RDS API Reference. There is no GetDbAuthToken action. Curious.

然后，我注意到aws rds generate-db-auth-token不需要区域.怎么可能呢?

Then, I noticed that aws rds generate-db-auth-token doesn't require a region. How can that be?

除非...

在两行之间阅读时，看来这里的有效术语是 generate (生成) ...与 get (通过API请求)不是同义词.

Reading between the lines, it looks like the operative term here is generate... not synonymous with get (via an API request).

这看起来像是一个完全本地的操作，这意味着可以成功地生成"一个完全无效的身份验证令牌...与生成语法上有效但已被拒绝访问的预签名URL完全相同，因为请求签名者缺少必要的权限.

This looks like an entirely local operation, which means it's possible to successfully "generate" an entirely invalid authentication token... exactly the same way that you can generate a pre-signed URL that's syntactically valid but access is still denied, since the request signer lacks the requisite permission.

如果您的EC2角色没有"rds-db"的策略，您仍然可以生成令牌.这可能意味着令牌生成无法证明您的策略有效.

if your EC2 role doesn't have the policy for "rds-db" you can still generate a token. This likely means the token generation doesn't prove that your policy works.

在这里，我将其称为断言的进一步证明.根据我所看到的，我想说成功生成令牌根本没有任何证据.

I'd call this further proof of my assertions, here. In light of what I'm seeing, I'd say successful token generation proves nothing at all.

您只是在生成他们所谓的令牌"，即形式上与AWS4-HMAC-SHA256(签名版本4")签名的URL没什么不同...用您的凭据签名.

You're simply generating what they are calling a "token" -- that is, in form, no different than an AWS4-HMAC-SHA256 ("Signature Version 4") signed URL... signed with your credentials.

RDS占据了整条线，并使用与外部服务API实质上相同的机制将其传递给IAM，以对其进行验证.这也解释了为什么令牌仅在15分钟内有效……这就是大多数查询API的工作方式.签名的请求仅在+/- 15分钟内有效.这也解释了为什么他们建议每秒不超过20个新连接的原因-当您尝试使用RDS实例登录时，您的RDS实例正在发出内部API请求以实际验证令牌.

RDS takes this entire line, and passes it over to IAM using essentially the same mechanism that the external facing service APIs use, to validate it. This also explains why the token is only good for 15 minutes... that's how most of the Query APIs work. Signed requests are only good for +/- 15 minutes. It also explains why they recommend no more than 20 new connections per second -- your RDS instance is making an internal API request to actually validate the token when you try to log in with it.

我将返回所有设置步骤，但是在测试时使用IAM用户而不是实例角色，只是为了消除一点点复杂性.

I'd go back through all the setup steps but use an IAM user instead of an instance role while testing, just to eliminate a little bit of complexity.

RDS实例的错误日志可能包含更多信息.您可能需要在参数组中将log_warnings设置为2或更高，这可能还是个好主意.

The RDS instance's error log may have more information. You may need to set log_warnings to 2 or higher in the parameter group, which is probably a good idea anyway.

这篇关于使用IAM设置RDS(MySQL)数据库访问以生成访问令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！