aws-sdk-go-v2 icon indicating copy to clipboard operation
aws-sdk-go-v2 copied to clipboard

Published 20 hours ago verified publisher icon aws

RDS's 'BuildAuthToken' should validate that the port is present in the database endpoint string

Open gaultier opened this issue 3 years ago • 0 comments

Describe the bug

When generating a RDS database token to connect to the database over IAM, e.g on the CLI: aws rds generate-db-auth-token --hostname <host> -user <user> --port 3306 --region <region>, the port is required.

When leaving it out, there is an error: aws: error: the following arguments are required: --port.

However, the Go sdk v2 does not perform such validation. Since the host and the port are passed in one string (the endpoint argument) in the function BuildAuthToken, e.g. foo.cluster-bar.eu-central-1.rds.amazonaws.com:3306, it is easy to forget to pass the port at the end of this string.

This leads to this function generating an invalid token, which will in turn lead to an error from mysql: Error 1045: Access denied for user '<user>'@'<ip>' (using password: YES)

The docs in the Go sdk v2 do state that the port is required but it's an easy mistake to make which will lead to hours of troubleshooting. Especially when the endpoint is not defined in code but in a per-environment configuration.

Expected Behavior

Suggestion: validate that the endpoint parameter is contains the port at the end and return an error otherwise.

Current Behavior

No validation occurs and a wrong token is generated (without an error being returned). This token will be rejected by mysql when trying to connect with it.

Reproduction Steps

Run:

cfg, _ := config.LoadDefaultConfig(context.Background())

token, err := auth.BuildAuthToken(context.Background(), "foo.cluster-bar.eu-central-1.rds.amazonaws.com", "eu-central-1", "baz", cfg.Credentials)
if err != nil {
  panic(err)
}

And see that a token (which is silently invalid) and no error is returned.

Possible Solution

Suggestion: validate that the endpoint parameter is contains the port at the end and return an error otherwise, like the CLI does.

Additional Information/Context

No response

AWS Go SDK V2 Module Versions Used

	github.com/aws/aws-sdk-go-v2 v1.16.3
	github.com/aws/aws-sdk-go-v2/config v1.11.1
	github.com/aws/aws-sdk-go-v2/feature/rds/auth v1.1.1

Compiler and Version used

go1.18.4 darwin/amd64

Operating System and version

Darwin Kernel Version 21.5.0 x86_64

gaultier avatar Jul 20 '22 06:07 gaultier