Problems connecting to AWS RDS Instance using new IAM Authentication Feature

[brucemack]

Has anyone been able to connect successfully to an AWS RDS instance using the new IAM authentication feature? I am able to generate the ephemeral authentication token with no problem, but when I pass it as a password when connecting to database I get this error:

<-- ErrorPacket
ErrorPacket {
  fieldCount: 255,
  errno: 1251,
  sqlStateMarker: '#',
  sqlState: '08004',
  message: 'Client does not support authentication protocol requested by server; consider upgrading MySQL client' }

I am using version 2.13 of the driver.

AWS Documentation:

Thanks

[dougwilson]

Hi @brucemack it is not currently supported. We could possibly build in support for the auth protocol that the instance is requesting, but I don't know it off hand. Probably (1) someone can make a PR with the implementation or (2) perhaps direct me to the wire-level documentation for how to implement it and ideally provide a server to test against and I can try to implement.

[brucemack]

Hi Doug, thanks for the quick reply. I just wanted to make sure I wasn't missing something obvious. Let me learn more about the protocol in question and I'll get back with some more information and/or a PR.

Thanks!

[dougwilson]

I'm going to close this as a duplicate of #1396 to consolidate these issues.

[elephantjim]

For anyone else who lands here, mysql_clear_password is needed to be able to connect to an Aurora database on AWS RDS when using IAM auth tokens. The connection to the RDS instance is over SSL, and the authentication token is sent in the clear (because it's already an HMAC signature).

Switching to mysql2 and applying @angiolep's fix in sidorares/node-mysql2#438 (comment) worked for me.

[davewthompson]

I believe there are two issues here, which I have fixed.

The first is that the mysqljs driver reads - but does nothing with - the extended server capabilities that get sent to the client after the first connection (HandshakeInitializationPacket's serverCapabilities2). This means the client never returns the CLIENT_PLUGIN_AUTH capability to the server, which means mysql_clear_password is never requested which breaks the PAM/IAM pluggable auth.

The second is that the AuthSwitchRequestPacket doesn't handle the requirement for a mysql_clear_password type of authentication.

My fix was to:

1. Ensure the CLIENT_PLUGIN_AUTH capability is sent to the server from the client during the handshake.
2. Handling the auth switch to a mysql_clear_password auth plugin type.

Unfortunately, the organisation I work for does not allow me to contribute to GitHub, so I will try and produce a clean-room implementation today,

[elemount]

@davewthompson , the fix 1 of CLIENT_PLUGIN_AUTH is been down on #1776 , and I can implement a mysql_clear_password on it.

But @dougwilson , if possible, we can add a mysql_clear_password after my commit. But should we set insecure:True on the mysql_clear_password for it just pass the password directly?

[maulerjan]

For me it worked after specifying ssl: 'Amazon RDS' in options.