-
Notifications
You must be signed in to change notification settings - Fork 336
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IAM Database Authentication results in Authentication fallback / failure #268
Comments
According to Client-Side Cleartext Pluggable Authentication:
There is currently no support for The Amazon documentation says:
Thus it seems that it wouldn't be insecure to send the password in cleartext because it will be protected by a TLS connection. |
Just curious, have you tried using IAM Authentication with Oracle's Connector/NET (MySql.Data)? I wasn't able to find support for |
@bgrainger -- support for sending the password in the clear over SSL should enable this use case. I'll test things out using MySqlData sometime tomorrow and let you know. also, thanks for the quick response!!!! |
We'll add support for This doesn't protect against a malicious proxy that attempts to steal clients' credentials; to defend against that we could require explicit opt-in, e.g., through a new connection string setting or by supporting the |
Implemented in 0.20.0. |
@bgrainger I just updated to v0.20 and can confirm that the fix works! Thanks again! |
@iamcarbon I just noticed that the IAM documentation page says:
This makes me think that connection pools will stop working after about 15 minutes. (Existing connections in the pool might still work, but opening a new connection will just fail with no way to recover.) I think a workaround could be to set Please let me know what you find. |
We're dynamically updating the password every 10 minutes: which should in theory, create a new pool -- with the existing connections getting removed after going idle for some period of time (i.e. 5 minutes) Going to clone the project and dive into the guts to see what's actually happening.
|
I believe the only thing that may not work anymore is closing/reopening an existing connection to a database version that does not support the connection reset payload if All calls to
In theory you should be in good shape then 😄 I believe that any recent version of Amazon RDS should support the connection reset payload, in which case you would never hit the above issue. |
When attempting to authenticate to MySQL using IAM authentication, we seem to be attempting to switch protocols and falling back to "mysql_clear_password".
This may have have something to do with AWS reusing the user & password properties. Will do some more digging -- but posting here for now to track the issue.
DB USER
CONNECTION STRING
ERROR WHEN CONNECTING
System.NotSupportedException : Authentication method 'mysql_clear_password' is not supported.
The text was updated successfully, but these errors were encountered: