IAM Database Authentication - How to use CLI generated Token

Question

I'm following http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html in order to authenticate from an EC2 to RDS. I am able to run the generate-db-auth-token command to retrieve a token, but I'm not sure what to do with it after that (the instructions inexplicably end).

I've tried simply passing the regurgitated string (as well as logical substrings of the returned fields) as the password of a mysql client connection, but this doesn't seem to work.

The returned token is in the following form: {instance identifier}.{region}.rds.amazonaws.com:3306/?Action=connect&DBUser={auth db username}&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=900&X-Amz-Date=20170622T221608Z&X-Amz-SignedHeaders=host&X-Amz-Security-Token={super long, web-escaped string containing special characters}&X-Amz-Credential={some shorter, a web-escaped string containing special characters}&X-Amz-Signature={some long string of alphanumeric characters}

Any help is greatly appreciated.

Answer 1

This is working, try this out:

$ mysql -u iam_user -h iamtest.xxxxxxxxxxxx.ap-northeast-1.rds.amazonaws.com \

--password=`aws rds generate-db-auth-token --hostname iamtest.xxxxxxxxxxxx.ap-northeast-1.rds.amazonaws.com \

--port 3306 \

--username iam_user \

--region ap-northeast-1` \

--ssl-ca=/Users/hoge/rds-combined-ca-bundle.pem \

--enable-cleartext-plugin