Cannot connect to AWS RDS using IAM Authentication

[pkhetrapal]

• Sequel Ace Version: 2.1.1 Build 2053
• macOS Version: 10.15.3
• MySQL Version:

Description Cannot connect to RDS using IAM authentication.

Error - MySQL said: Authentication plugin 'mysql_clear_password' cannot be loaded: plugin not enabled

[Jason-Morcos]

@jamesstout @gboudreau Looks like Sequel Pro had made a manual alteration to support this?

https://github.com/sequelpro/sequelpro/commit/030eac5e17c69e375d7724e489483db72e791b9c

[Jason-Morcos]

Perhaps #201 related as well?

[jamesstout]

what happens if you start SA like this:

LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1 /Applications/Sequel\ Ace.app/Contents/MacOS/Sequel\ Ace

[jamesstout]

@pkhetrapal any chance of a test account/db?

[pkhetrapal]

Thanks for the reply guys.

LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1 /Applications/Sequel\ Ace.app/Contents/MacOS/Sequel\ Ace works but it keeps the terminal session active and keeps logging

2020-07-10 11:42:55.239 Sequel Ace[37446:45877622] LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN is set. Disabling keychain access. See Issue #2437
2020-07-10 11:42:55.240 Sequel Ace[37446:45877622] reRequestSecureAccess to saved bookmarks
2020-07-10 11:43:03.496 Sequel Ace[37446:45877622] Not yet implemented: mainWindow
2020-07-10 11:43:03.496 Sequel Ace[37446:45877622] Not yet implemented: mainWindow
2020-07-10 11:43:03.496 Sequel Ace[37446:45877622] Not yet implemented: mainWindow
2020-07-10 11:43:03.496 Sequel Ace[37446:45877622] Not yet implemented: mainWindow
2020-07-10 11:43:03.516 Sequel Ace[37446:45877622] Not yet implemented: mainWindow
2020-07-10 11:43:03.516 Sequel Ace[37446:45877622] Not yet implemented: mainWindow
2020-07-10 11:43:09.186 Sequel Ace[37446:45877622] Not yet implemented: mainWindow
2020-07-10 11:43:09.188 Sequel Ace[37446:45877622] Not yet implemented: mainWindow
2020-07-10 11:43:49.327 Sequel Ace[37446:45877622] Not yet implemented: mainWindow
2020-07-10 11:43:49.327 Sequel Ace[37446:45877622] Not yet implemented: mainWindow
2020-07-10 11:43:49.327 Sequel Ace[37446:45877622] Not yet implemented: mainWindow
2020-07-10 11:43:49.327 Sequel Ace[37446:45877622] Not yet implemented: mainWindow
2020-07-10 11:43:49.336 Sequel Ace[37446:45877622] Not yet implemented: mainWindow
2020-07-10 11:43:49.336 Sequel Ace[37446:45877622] Not yet implemented: mainWindow
2020-07-10 11:43:57.644 Sequel Ace[37446:45877622] Not yet implemented: mainWindow

Can this option added to Sequel Ace itself?

[pkhetrapal]

Unfortunately I don't have access to a test account as all our dbs are behind a firewall. I will try to setup something though and let you know.

[jseiser]

Wanted to update, I was able to use

LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1 /Applications/Sequel\ Ace.app/Contents/MacOS/Sequel\ Ace

and connect to our database. I do assume with this setup the token would go invalid after 15 minutes.

[ken5scal]

I tried LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1 /Applications/Sequel\ Ace.app/Contents/MacOS/Sequel\ Ace, but didn't work.

Sequel Ace version is 2.3.0 (Build 2111).

Just to note, I connect via bastion server. mysql cli had successfully connected, so there should be something wrong with Sequel Ace

reproduced steps

% ssh -L 13306:somethingsomething.ap-northeast-1.rds.amazonaws.com:3306 ec2-user@BastionServer
% export AWS_DEFAULT_REGION=ap-northeast-1
% RDSHOST="somethingsomething.ap-northeast-1.rds.amazonaws.com"
% TOKEN="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 3306 --username jane_doe )"
# making sure cli works
% mysql --host=127.0.0.1 --port=13306 --enable-cleartext-plugin --user=jane_doe --password=$TOKEN
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2780
Server version: 5.7.12 MySQL Community Server (GPL)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

[Jason-Morcos]

We're including the Cleartext plugin in the 2.3.1 @ken5scal, we just don't have a beta available yet. Please hold tight and we'll have a beta for you to test soon. Trying to wrap a few final issues into 2.3.1 before pushing it along.

[ken5scal]

Oh Ic. Thanks!

[Kaspik]

I believe Cleartext plugin was released btw.

[angeloskaltsikis]

Do you think it is possible to create something similar to what exists for Datagrip AWS Docs? This creates a very good user experience as the complexity of copy-pasting the password is hidden from the Client UI and user just have to click the login password.

[Kaspik]

We have a request for full support of AWS and it's on our roadmap, it's just not the top priority for now yet as we have some memory-leak / memory-management related issues that are causing stability issues.

[ghost]

Does this still need more info, per the tag? I'd love to be able to enable RDS IAM auth for my engineers.

[Kaspik]

The request we had was postponed so no-one really had a time to look into this, and to be completely honest I don't think anyone will be able to check that in near future, sorry 😞