Receiving "(using password: NO)" when password was given

[raulsh]

Issue description

I'm connecting to MySQL using a password (token) generated through AWS IAM (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.Go.html#UsingWithRDS.IAMDBAuth.Connecting.GoV2).

So the user needs to be created with a specific authentication and not "just" password: CREATE USER jane_doe IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; (but the token is still a password that expire after 15 minutes).

When I use that token or even a random input (invalid password, of course) with that user, I receive the message that i'm not using a password. Error 1045 (28000): Access denied for user 'XXXX'@'YY.YY.YY.YY' (using password: NO)

The weird thing is the (using password: NO) is just with my code, but in terminal the behaviour is OK (even with an incorrect password - just to ensure). To test if the token generation is valid or not, I printed the token generated with my code and I used it in the terminal (mysql -h ... -u .... -p(token)) and it works fine.

My last test, just to ensure if users without IAM authentication have the same behaviour, I tried with another user (without IAM auth - traditional password access) with an invalid password, and I'm receiving the expected output: Error 1045 (28000): Access denied for user 'XXXX'@'YY.YY.YY.YY' (using password: YES)

I changed all the settings that I can, but is still not working. I don't know if is a problem from my side or it's a lib issue.

Example code

    username := m.Username
    password, err := auth.BuildAuthToken(
        m.ctx, endpoint, m.Region, m.Username, m.Creds,
    )
    if err != nil {
        return err
    }

    cfg := mysql.NewConfig()
    cfg.User = username
    cfg.Passwd = password
    cfg.Net = "tcp"
    cfg.Addr = endpoint
    cfg.DBName = "XXXXX"
    cfg.AllowCleartextPasswords = true
    cfg.ParseTime = true

    fmt.Printf("%+v\n", cfg)

    connector, err := mysql.NewConnector(cfg)
    if err != nil {
        return err
    }

    db := sql.OpenDB(connector)

Error log

2024-03-23T15:43:59.536-0300    ERROR   provisioner/router.go:91        error getting databases {"error": "Error 1045 (28000): Access denied for user 'XXX'@'YY.YY.YY.YY' (using password: NO)"}

Configuration

Driver version (or git SHA): v1.8.0

Go version: go1.21.5 linux/amd64

Server version: MySQL 8.0.28

Server OS: AWS RDS

[methane]

Is that an only log message? No log like "unknown auth plugin"?

I haven't use cleartext plugin so don't expect quick fix. If you are Go developer, you can debug it by seeing around here.

https://github.com/go-sql-driver/mysql/blob/d7ddb8b9e324830b1ede89c5fea090c824497c51/auth.go#L348-L354

https://github.com/go-sql-driver/mysql/blob/d7ddb8b9e324830b1ede89c5fea090c824497c51/auth.go#L277-L302

[shogo82148]

It is not the driver issue. I've connected to Amazon RDS Aurora using AWS IAM authentication, and it worked fine.

My tested code is here: https://github.com/shogo82148/rdsmysql/blob/main/v2/README.md

There might be a problem with your code. Possible causes include:

• TLS is not enabled
• Please check the format of the endpoint. While the port number can be omitted in mysql.Config, it cannot be omitted in the arguments for auth.BuildAuthToken.