使用IAM角色的AWS RDS MySQL连接无法正常工作 [英] AWS RDS MySQL connection using IAM Role is not working

问题描述

想提前通知我，我通常是AWS的新手.对于我的项目，我尝试使用EC2实例上Tomcat上部署的Java应用程序中的IAM身份验证(IAM角色)使用AWS RDS MySQL.从Java尝试之前，我正在EC2实例上的命令提示符下尝试它.我正在通过此链接进行操作:

Would like to inform upfront that I am new to AWS in general. For my project I am trying to use AWS RDS MySQL using IAM Authentication (IAM Role) from a Java application deployed on Tomcat on an EC2 instance. Before trying it from Java I am trying it from the command prompt on the EC2 instance. I am following this link to do it:

https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/

到目前为止，我已完成以下操作(如果我使用的术语不正确，请原谅):

I have done the following so far (please pardon if I am not using correct terminologies):

• 使用AWS RDS的MySQL
• 在我的MySQL实例上启用了IAM身份验证
• 为EC2创建了IAM角色

• 为上述IAM角色创建了一个内联策略，并授予了必需的操作".还包括资源"(我的数据库端点带有用户名)，如下所示:

• MySQL using AWS RDS
• Enabled IAM Authentication on my MySQL instance
• Created IAM Role for EC2

• Created an inline policy for the above IAM Role and granted required "Action". Also included the "Resources" (my database's endpoint with username), as below:

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Action": [
               "rds-db:connect"
           ],
           "Resource": [
               "arn:aws:rds-db:<my-region>:<my-account-id>:dbuser:<my-db-resource-id>/<my-db-username>"
           ]
       }
   ]
}

将此IAM角色分配给我创建的EC2实例

Assigned this IAM Role to an EC2 instance I have created

我遵循了顶部链接中给出的所有内容，除最后一条命令外，其他所有功能似乎都可以正常工作.

I followed everything given in the link at the top and everything seem to work except for the last command.

按照我在链接中创建的数据库用户，如下所示:

As in the link I created DB user as below:

CREATE USER dev_user IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS';

链接中最后一个不起作用的命令是:

The last command in the link that is not working is:

mysql -h {db or cluser endpoint} --ssl-ca={certificate file name with complete path} --ssl-verify-server-cert -u {dbusername2} -p"{authenticationtoken}" --enable-cleartext-plugin

每次我运行此命令时，都会要求输入密码，然后出现错误.我不知如何解决.

Every time I run this command it asks for the password and then I am getting an error. I am at a loss on how to resolve it.

在上面的mysql命令中，如果我通过我的主用户ID (我将其创建为"admin")并输入了密码，则会收到如下错误:

In the above mysql command if I pass my master user-id (I created it as 'admin') and enter it's password I get an error like this:

[ec2-user@ip-xxx-xx-xx-16 ~]$ mysql -h <endpoint of my RDS DB instance> --ssl-ca=rds-combined-ca-bundle.pem --ssl-verify-server-cert -u admin -p 'aws rds generate-db-auth-token --hostname <endpoint of my RDS DB instance> --port 3306 --username dev_user' --enable-cleartext-plugin

输入密码: 错误1059(42000):标识符名称"aws rds generate-db-auth-token --hostname --port"太长

Enter password: ERROR 1059 (42000): Identifier name 'aws rds generate-db-auth-token --hostname --port' is too long

如果在同一命令中，我提供了上面创建的数据库用户(dev_user).如果在命令中提供"dev_user"作为用户，以及是否输入密码，都会出现以下错误. [在这种情况下，上面的链接未设置密码，因此当它要求输入密码时该怎么办?] :

And if in the same command I provide the above created DB user (dev_user). I get the following error if provide "dev_user" as user in the command and whether I enter a password or not. [In this case, the above link did not set a password so what should I do when it asks to enter the password?]:

[ec2-user@ip-xxx-xx-xx-16 ~]$ mysql -h <endpoint of my RDS DB instance> --ssl-ca=rds-combined-ca-bundle.pem --ssl-verify-server-cert -u dev_user -p 'aws rds generate-db-auth-token --hostname <endpoint of my RDS DB instance> --port 3306 --username dev_user' --enable-cleartext-plugin

输入密码: 错误1045(28000):用户'dev_user'@'xxx.xx.xx.16'的访问被拒绝(使用密码:是)

Enter password: ERROR 1045 (28000): Access denied for user 'dev_user'@'xxx.xx.xx.16' (using password: YES)

当我在上面的命令的两个地方都输入"admin"时，出现相同的访问被拒绝..."错误.

I get the same "Access denied..." error when I enter "admin" in both places in the command above.

我们将不胜感激任何帮助.

Any help will be highly appreciated.

谢谢.

推荐答案

首先，-p参数后不应有空格.

First of all, there shouldn't be space after -p parameter.

第二，如果要内联执行aws rds generate-db-auth-token...，则应将其标上刻度线，而不是单引号.

Second, if you want to execute aws rds generate-db-auth-token... inline, it should be marked with ticks, not single quotes.

mysql -h <endpoint of my RDS DB instance> --ssl-ca=rds-combined-ca-bundle.pem --ssl-verify-server-cert -u dev_user -p`aws rds generate-db-auth-token --hostname <endpoint of my RDS DB instance> --port 3306 --username dev_user` --enable-cleartext-plugin

这篇关于使用IAM角色的AWS RDS MySQL连接无法正常工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！