amazon-web-services - 使用 MariaDB JDBC 客户端通过 AWS RDS 代理执行 IAM 身份验证

Question

我很难配置带有 IAM 身份验证的 RDS 代理。

在 RDS 代理上：

• 启用 TLS
• IAM 身份验证也已启用

RDS 代理创建并使用了一个包含本机 MySQL 凭据的秘密，在监控中我看到了一些连接......没关系。

但是，在我的应用程序（Micronaut 之一）上，我使用 MariaDB JDCB 和参数：

在实例上，我已经使用脚本导入了证书：

#!/bin/bash
echo "Downloading RDS certificates..."
curl https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem > rds-combined-ca-bundle.pem
csplit -sk rds-combined-ca-bundle.pem "/-BEGIN CERTIFICATE-/" "{$(grep -c 'BEGIN CERTIFICATE' rds-combined-ca-bundle.pem | awk '{print $1 - 2}')}"
for CERT in xx*; do
# extract a human-readable alias from the cert
ALIAS=$(openssl x509 -noout -text -in $CERT | perl -ne 'next unless /Subject:/; s/.*CN=//; print')
echo "importing $ALIAS"
# import the cert into the default java keystore
keytool -import -cacerts -storepass changeit -noprompt -alias "$ALIAS" -file $CERT
done

我的应用程序包含依赖项：

implementation "org.mariadb.jdbc:mariadb-java-client:2.7.4"
implementation "com.amazonaws:aws-java-sdk-rds:1.12.74"

和数据源：

datasources:
  default:
    url: jdbc:mariadb://XXXXXX/DATABASE?user=INSTANCE_PROFILE_NAME&credentialType=AWS-IAM&&verifyServerCertificate=true&useSSL=true&requireSSL=true&Unicode=yes&characterEncoding=UTF-8
    driverClassName: org.mariadb.jdbc.Driver
    type: org.mariadb.jdbc.MariaDbPoolDataSource

实例配置文件角色包含一个策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "rds-db:connect",
            "Resource": "arn:aws:rds-db:eu-west-1:794392443626:dbuser:prx-XXXXXXXXX/*"
        }
    ]
}

但 ！它根本不起作用！

Sep 28 09:53:55 ip-192-168-11-29 web: Caused by: java.sql.SQLInvalidAuthorizationSpecException: (conn=71837971) Access denied for user 'INSTANCE_PROFILE_NAME'@'%' (using password: YES)
Sep 28 09:53:55 ip-192-168-11-29 web: Current charset is UTF-8. If password has been set using other charset, consider using option 'passwordCharacterEncoding'
Sep 28 09:53:55 ip-192-168-11-29 web: at org.mariadb.jdbc.internal.util.exceptions.ExceptionFactory.createException(ExceptionFactory.java:66) ~[ads-2021.09.28.100752-all.jar:?]
Sep 28 09:53:55 ip-192-168-11-29 web: at org.mariadb.jdbc.internal.util.exceptions.ExceptionFactory.create(ExceptionFactory.java:192) ~[ads-2021.09.28.100752-all.jar:?]
Sep 28 09:53:55 ip-192-168-11-29 web: at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.authenticationHandler(AbstractConnectProtocol.java:769) ~[ads-2021.09.28.100752-all.jar:?]
Sep 28 09:53:55 ip-192-168-11-29 web: at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.createConnection(AbstractConnectProtocol.java:555) ~[ads-2021.09.28.100752-all.jar:?]
Sep 28 09:53:55 ip-192-168-11-29 web: at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connectWithoutProxy(AbstractConnectProtocol.java:1389) ~[ads-2021.09.28.100752-all.jar:?]
Sep 28 09:53:55 ip-192-168-11-29 web: at org.mariadb.jdbc.internal.util.Utils.retrieveProxy(Utils.java:635) ~[ads-2021.09.28.100752-all.jar:?]
Sep 28 09:53:55 ip-192-168-11-29 web: at org.mariadb.jdbc.MariaDbConnection.newConnection(MariaDbConnection.java:150) ~[ads-2021.09.28.100752-all.jar:?]
Sep 28 09:53:55 ip-192-168-11-29 web: at org.mariadb.jdbc.Driver.connect(Driver.java:89) ~[ads-2021.09.28.100752-all.jar:?]

在 cloudwatch rds 代理端，我有：

2021-09-28T10:24:58.140Z [DEBUG] [proxyEndpoint=default] [clientConnection=3815433305] Received Handshake Response: [username="INSTANCE_PROFILE_NAME", schema="ads_beta", auth-plugin="mysql_native_password", capabilityFlags={CLIENT_FOUND_ROWS=true; CLIENT_LONG_FLAG=false; CLIENT_CONNECT_WITH_DB=true; CLIENT_COMPRESS=false; CLIENT_LOCAL_FILES=true; CLIENT_IGNORE_SPACE=true; CLIENT_INTERACTIVE=false; CLIENT_IGNORE_SIGPIPE=false; CLIENT_TRANSACTIONS=true; CLIENT_RESERVED=false; CLIENT_SECURE_CONNECTION=true; CLIENT_MULTI_STATEMENTS=false; CLIENT_MULTI_RESULTS=true; CLIENT_PS_MULTI_RESULTS=true; CLIENT_PLUGIN_AUTH=true; CLIENT_CONNECT_ATTRS=true; CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA=true; CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS=false; CLIENT_SESSION_TRACK=true; CLIENT_DEPRECATE_EOF=true; CLIENT_OPTIONAL_RESULTSET_METADATA=false; CLIENT_REMEMBER_OPTIONS=false}]

Proxy authentication with MySQL native password authentication failed for user "INSTANCE_PROFILE_NAME" with TLS on. Reason: Invalid credentials. If you provide an IAM token, make sure to either use the correct password or enable IAM authentication

也许它错过了一些数据源配置？

Answer 1

您是否将 AWS_ACCESS_KEY_ID、AWS_SECRET_KEY 和 AWS_REGION 定义为服务器上的环境变量？那是我的问题。似乎 mariadb 插件需要这些，不能使用基于角色的配置。

这是一篇关于如何设置基于角色的身份验证的好博客，它将每 14 分钟自动刷新一次您的数据库连接（因为 aws rds 身份验证令牌仅对 15 有效）：https ://blog.jdriven.com/2021/ 06/configure-hikari-connection-pool-when-using-rds-iam/