Would like to inform upfront that I am new to AWS in general. For my project I am trying to use AWS RDS MySQL using IAM Authentication (IAM Role) from a Java application deployed on Tomcat on an EC2 instance. Before trying it from Java I am trying it from the command prompt on the EC2 instance. I am following this link to do it:
https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/
I have done the following so far (please pardon if I am not using correct terminologies):
MySQL using AWS RDS
Enabled IAM Authentication on my MySQL instance
Created IAM Role for EC2
Created an inline policy for the above IAM Role and granted required "Action". Also included the "Resources" (my database's endpoint with username), as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:<my-region>:<my-account-id>:dbuser:<my-db-resource-id>/<my-db-username>"
]
}
]
}
Assigned this IAM Role to an EC2 instance I have created
I followed everything given in the link at the top and everything seem to work except for the last command.
As in the link I created DB user as below:
CREATE USER dev_user IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS';
The last command in the link that is not working is:
mysql -h {db or cluser endpoint} --ssl-ca={certificate file name with complete path} --ssl-verify-server-cert -u {dbusername2} -p"{authenticationtoken}" --enable-cleartext-plugin
Every time I run this command it asks for the password and then I am getting an error. I am at a loss on how to resolve it.
In the above mysql command if I pass my master user-id (I created it as 'admin') and enter it's password I get an error like this:
[ec2-user#ip-xxx-xx-xx-16 ~]$ mysql -h <endpoint of my RDS DB instance> --ssl-ca=rds-combined-ca-bundle.pem --ssl-verify-server-cert -u admin -p 'aws rds generate-db-auth-token --hostname <endpoint of my RDS DB instance> --port 3306 --username dev_user' --enable-cleartext-plugin
Enter password:
ERROR 1059 (42000): Identifier name 'aws rds generate-db-auth-token --hostname --port' is too long
And if in the same command I provide the above created DB user (dev_user). I get the following error if provide "dev_user" as user in the command and whether I enter a password or not. [In this case, the above link did not set a password so what should I do when it asks to enter the password?]:
[ec2-user#ip-xxx-xx-xx-16 ~]$ mysql -h <endpoint of my RDS DB instance> --ssl-ca=rds-combined-ca-bundle.pem --ssl-verify-server-cert -u dev_user -p 'aws rds generate-db-auth-token --hostname <endpoint of my RDS DB instance> --port 3306 --username dev_user' --enable-cleartext-plugin
Enter password:
ERROR 1045 (28000): Access denied for user 'dev_user'#'xxx.xx.xx.16' (using password: YES)
I get the same "Access denied..." error when I enter "admin" in both places in the command above.
Any help will be highly appreciated.
Thank you.
First of all, there shouldn't be space after -p parameter.
Second, if you want to execute aws rds generate-db-auth-token... inline, it should be marked with ticks, not single quotes.
mysql -h <endpoint of my RDS DB instance> --ssl-ca=rds-combined-ca-bundle.pem --ssl-verify-server-cert -u dev_user -p`aws rds generate-db-auth-token --hostname <endpoint of my RDS DB instance> --port 3306 --username dev_user` --enable-cleartext-plugin
Related
I have a problem connecting to MongoDB atlas through mongo shell, even though I have done everything right and triple checked data username and password, included my IP in the whitelist, changed the database name to test, and tried adding --password in the same line
`$ mongo "mongodb+srv://cluster******.mongodb.net/test" --username admin --password admin
MongoDB shell version v4.4.6
connecting to: mongodb://cluster0-shard-00-00.4d5jd.mongodb.net:27017,cluster0-shard-00-01.4d5jd.mongodb.net:27017,cluster0-shard-00-02.4d5jd.mongodb.net:27017/test?compressors=disabled&gssapiServiceName=mongodb&ssl=true
*** You have failed to connect to a MongoDB Atlas cluster. Please ensure that your IP whitelist allows connections from your network.
Error: bad auth : Authentication failed. :
connect#src/mongo/shell/mongo.js:374:17
#(connect):2:6
exception: connect failed
exiting with code 1`
MongoDB Atlas creates all users in the admin database.
The output from your attempt does not indicate that it was using the admin database for authentication, so you will likely need to use either the --authenticationDatabase command line option, or include authSource= in the URL, i.e. one of:
mongo "mongodb+srv://cluster******.mongodb.net/test" --username admin --password admin --authenticationDatabase admin
or
mongo "mongodb+srv://cluster******.mongodb.net/test?authSource=admin" --username admin --password admin
I'm not able to assign a role to a ec2 cluster via the spark script spark/ec2/spark-ec2. I use the following command to start the cluster:
where myprofile is a testing profile with sufficient permissions.
./spark-ec2 -k <key name> -i <aws .pem file> -s 2 -r eu-west-1 launch mycluster --instance-type=m4.large --instance-profile-name=myprofile
I can see the instances in the ec2 console where they also have the correct role assigned.
I then proceed to ssh into the master instance with:
./spark-ec2 -k <key name> -i <aws .pem file> login mycluster
and with
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/myprofile
I can view my temporal security key, access key and a security token. However, running
aws s3 list-buckets
returns
"Message": "The AWS Access Key Id you provided does not exist in our records."
Retrieving the keys via the curl command and pass them to boto does not work either, giving a '403 permission denied'..
Am I missing something?
Please see this very similar question below. But as I am not allowed to comment there and I neither have the answer to it I made a new question. Maybe someone could comment to that person with a link to my question. Thanks.
Running Spark EC2 scripts with IAM role
Ok I had this problem for 3 days and now I solved directly after posting the question... do:
sudo yum update
will update the aws cli and after that roles seems to work.
I can even do in python:
from boto.s3.connection import S3Connection
conn = S3Connection()
bucket = conn.get_bucket('my_bucket')
keys = bucket.list()
I would like to be able to access mongodb://admin:password#db:27017/testdb, but I keep getting
Command: ./node_modules/east/bin/east migrate --adapter east-mongo --url mongodb://admin:password#db/testdb
[conn7] SCRAM-SHA-1 authentication failed for admin on testdb from client 172.17.2.60 ; UserNotFound Could not find user admin#testdb
db is the hostname. This is what I have done:
mongod --storageEngine wiredTiger --httpinterface --rest --master --auth &
mongo admin --eval "db.createUser({user: 'admin', pwd: 'password', roles:[{role:'root',db:'admin'}]});"
If I do
mongo admin -u admin -p password --host db --port 27017
then show dbs works.
Now I want to access testdb which I haven't created yet, but from my understanding databases that doesn't exist are created on the fly?
mongo testdb -u admin -p password --host localhost --port 27017
2016-06-08T16:14:02.146+0200 E QUERY Error: 18 Authentication failed.
Question
Can anyone see why I can't connect?
You are trying to authenticate against a database that is non-existent or empty. This is why the authentication fails.
I would
log in into MongoDB.
execute use testdb to switch to testdb database
execute db.createuser(...) with the appropriate options to create a user/password which you can use to authenticate with
Then you should be able to do what you described.
I need a little help with mongo.
I installed 2.4.9 version from accroding to this instructions:
For ubuntu - http://docs.mongodb.org/manual/tutorial/install-mongodb-on-ubuntu/
For Debian - http://docs.mongodb.org/manual/tutorial/install-mongodb-on-debian/
I followed manuals and documentation. Everything worked fine but when I change mongo settings to "auth=true" permissions go crazy.
Here is my user:
{
"_id" : ObjectId("5305dd8729ae7b95a4bde944"),
"user" : "root",
"pwd" : "063bbfd478f7b78df6c93b6202af9145",
"roles" : ["clusterAdmin", "userAdminAnyDatabase",
"readWriteAnyDatabase", "dbAdminAnyDatabase" ] }
I used rockmongo. And when I open my mongodb it says that I don't have enough permissions to run command db.getCollectionNames()
It says: Execute failed:unauthorized
And the same thing for creating users, managing databases.
I can't imagine what more permissions should I provide to user.
As it is said in manual this user is the first one I created. I gave him all highest admin privileges.
After changing auth parameter to auth=true
I also can't login in command line.
$ mongo -uroot -p <my password> --host 127.0.0.1
MongoDB shell version: 2.4.9
connecting to: 127.0.0.1:27017/test
Thu Feb 20 11:56:17.510 Error: 18 { code: 18, ok: 0.0, errmsg: "auth fails" } at src/mongo/shell/db.js:228
exception: login failed
By the way I tried password with and without braces. With long option and short one. This way -p<my password> and this way -p <my password>
But application (use simple db users) works fine.
I created database and two users (before making auth=true) and they seems fine for applications that use them.
I couldn't google any information. In most cases adding clusterAdmin or other permissions solves the problem for them.
OS: Ubuntu 12.04 and Debian 7 (In both same behavior)
MongoDb: 2.4.9
What is my mistake?
Did you create the user on the admin database?
clusterAdmin and the *AnyDatabase permissions apply only on the admin database.
When you authenticate, you'll need to authenticate against the admin database and then access other databases according to user's permissions.
mongo --authenticationDatabase admin -u root -p <my password> --host 127.0.0.1
I want to create user and database in linux server.
I am able to create user with the following code:
su - postgres
# createuser -S -D -R myUser
but when I tried to create database with code :
# createdb -U myUser -p 5432 myDatabase
I get following error:
createdb: could not connect to database postgres: FATAL: Ident authentication failed for user "myUser"
I am new to linux so I am unable to figure out why I was able to create user but while creating database there is connection error with postgres. And also error for ident
authentication for user.
I am new to linux so I am unable to figure out why I was able to create user but while
creating database there is connection error with postgres. And also error for ident
authentication for user.
ident is an authentication schema that relies on the currently logged in user. If you've su -s to postgres and then try to login as another user, ident will fail (as it's not the currently logged in user). You can solve this issue in two ways, I tend to use the latter.
solution: simply make sure the currently logged in user is the user with which you would like to log in to postgres:
postgres#machine:~$ createuser -S -D -R myUser
postgres#machine:~$ exit
machine:~# su - myUser
myUser#machine:~$ psql myDatabase
better solution: change pg_hba.conf (probably located in /etc/postgresql/8.4/main/ or similar), and make sure you add the "md5" authentication schema to the list of options. Here's my pg_hba.conf on my development box, without comments:
berry#berry-pc:~$ sudo cat /etc/postgresql/8.4/main/pg_hba.conf | grep -v "^#" | grep -v "^$"
local all postgres ident
local all all md5
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
This tells PostgreSQL that postgres can login with ident, and all other users can login using the md5 authentication. That way, you can use the -U switch to the psql binary to denote which user you wish to become, so this actually works:
berry#berry-pc:~$ psql -U myUser myDatabase.
That said, I tend to use the postgres superuser to create databases. I then grant permissions on the newly created database to the newly created user, as such:
postgres#debian:~$ psql template1
template1=# CREATE USER myUser WITH PASSWORD 'myPassword';
CREATE ROLE
template1=# CREATE DATABASE myDatabase;
CREATE DATABASE
template1=# GRANT ALL PRIVILEGES ON DATABASE myDatabase TO myUser;
GRANT
template1=# \q
Hope that helps.
ADDENDUM: Once you've altered the pg_hba.conf, you will have to restart the PostgreSQL server to make sure it reads the configuration again. You can do so by issuing this command:
root#debian:~$ /etc/init.d/postgresql-8.4 restart
The script might be called "postgresql" instead of "postgresql-8.4", depending on OS and method of installation.