You don't have to write a solid MySQL password Please replace the inside of {} as appropriate
CREATE USER '{MySQL username}'@'%' IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS'; #User created
GRANT ALL PRIVILEGES ON {MySQL DB name}.* TO '{MySQL username}'@'%' REQUIRE SSL; #Authority
Make a policy like this
If you attach directly with json, it looks like this
{
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource": "arn:aws:rds-db:{AWS::Region}:{AWS::AccountId}:dbuser:cluster-{Resource ID}/{MySQL username}",
}
CloudFormation looks like this
iamRole:
- Effect: Allow
Action:
- "rds-db:connect"
Resource:
- 'Fn::Join':
- ':'
- - 'arn:aws:rds-db'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'dbuser:cluster-{Resource ID}/{MySQL username}'
Issue a token (temporary password) like this
client = boto3.client("rds")
#Get token
token = client.generate_db_auth_token(
DBHostname=RDS_HOST,
Port=RDS_PORT,
DBUsername=RDS_USER_NAME
)
db_connection = mysql.connector.connect(
host=RDS_HOST,
port=RDS_PORT,
database=RDS_DB_NAME,
user=RDS_USER_NAME,
passwd=token
)
Only this Easy ~~
Recommended Posts