Facing issues when using IAM token based authentication with percona tools like pt-online-schema-change. pt-online-schema-change tool might be truncating or tweaking the password value on the command execution and this may be failing authentication.
@dinesh082293 Can you please provide an example of how you are executing pt-osc with IAM? I’m not aware of any native IAM integration so I’m curious as to what exactly you are doing.
@matthewb When i generate IAM token and use that password with below command, it fails with access denied error.
pt-online-schema-change D=XXXX,t=XXXX,u=XXXX,h=XXXX.rds.amazonaws.com --ask-pass --critical-load Threads_running=1500 --alter-foreign-keys-method auto --recursion-method none --progress percentage,1 --no-check-alter --nodrop-old-table --execute --alter "ADD INDEX “XXXXX;”
Used the same token to login into the RDS via MySQL client through IAM authentication and it was successful. And i was able to use pt-online-schema-change as normal user. Issue[access denied] only comes when i use pt-online-schema-change with IAM token.
@dinesh082293 , I’m unfamiliar with IAM tokens so I cannot comment on that. All I know is that there is no direct native IAM integration with any percona-toolkit tools. Can you tell me which mysql client you are using? Community? MariaDB? Run this command please “sudo rpm -qa | grep -i mysql” and then run again for “grep -i percona” Thanks.
@dinesh082293 Are these the steps that you followed?
@matthewb Thanks for the response.
Yes these are the steps we follow and we are using Amazon aurora mysql.
I was able to get pt-online-schema-change to connect using an IAM access token by setting the LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN environment variable to 1 and adding “mysql_ssl=1” to the DBI connection string, similar to this script.
pt-online-schema-change doesn’t seem to provide any way of setting the DBI “mysql_ssl” flag. Could that be added to the options somehow?
UPDATE: You can just tack “;mysql_ssl=1” onto the host portion of the DSN, and it works:
export LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1 port=3306 region="us-east-1" host="your-rds-instance.us-east-1.rds.amazonaws.com" user="your_iam_username" token=$(aws rds generate-db-auth-token --hostname $host --port $port --username $user --region $region) pt-online-schema-change --dry-run --alter "CHANGE COLUMN id id BIGINT UNSIGNED NOT NULL auto_increment" "D=your_database,t=your_table,h=$host;mysql_ssl=1,u=$user,p=$token"
Is this officially supported functionality, or could this be broken by an update to the DSN parser?