Does pt-online-schema-change tool support IAM based user authentications?

Facing issues when using IAM token based authentication with percona tools like pt-online-schema-change. pt-online-schema-change tool might be truncating or tweaking the password value on the command execution and this may be failing authentication.

1 Like

@dinesh082293 Can you please provide an example of how you are executing pt-osc with IAM? I’m not aware of any native IAM integration so I’m curious as to what exactly you are doing.

1 Like

@matthewb When i generate IAM token and use that password with below command, it fails with access denied error.

Command used:

pt-online-schema-change D=XXXX,t=XXXX,u=XXXX,h=XXXX.rds.amazonaws.com --ask-pass --critical-load Threads_running=1500 --alter-foreign-keys-method auto --recursion-method none --progress percentage,1 --no-check-alter --nodrop-old-table --execute --alter "ADD INDEX “XXXXX;”

Used the same token to login into the RDS via MySQL client through IAM authentication and it was successful. And i was able to use pt-online-schema-change as normal user. Issue[access denied] only comes when i use pt-online-schema-change with IAM token.

1 Like

@dinesh082293 , I’m unfamiliar with IAM tokens so I cannot comment on that. All I know is that there is no direct native IAM integration with any percona-toolkit tools. Can you tell me which mysql client you are using? Community? MariaDB? Run this command please “sudo rpm -qa | grep -i mysql” and then run again for “grep -i percona” Thanks.

1 Like

@dinesh082293 Are these the steps that you followed?

https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/

1 Like

@matthewb Thanks for the response.

Yes these are the steps we follow and we are using Amazon aurora mysql.

1 Like

I was able to get pt-online-schema-change to connect using an IAM access token by setting the LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN environment variable to 1 and adding “mysql_ssl=1” to the DBI connection string, similar to this script.

pt-online-schema-change doesn’t seem to provide any way of setting the DBI “mysql_ssl” flag. Could that be added to the options somehow?

1 Like

UPDATE: You can just tack “;mysql_ssl=1” onto the host portion of the DSN, and it works:

export LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1
port=3306
region="us-east-1"
host="your-rds-instance.us-east-1.rds.amazonaws.com"
user="your_iam_username"
token=$(aws rds generate-db-auth-token --hostname $host --port $port --username $user --region $region)

pt-online-schema-change --dry-run --alter "CHANGE COLUMN id id BIGINT UNSIGNED NOT NULL auto_increment" "D=your_database,t=your_table,h=$host;mysql_ssl=1,u=$user,p=$token"

Is this officially supported functionality, or could this be broken by an update to the DSN parser?

1 Like