feature/rds/auth: RDS BuildAuthToken returns certificate error when using code specified in documentation

[sarahzinger]

Acknowledgements

• I have searched (https://github.com/aws/aws-sdk/issues?q=is%3Aissue) for past instances of this issue
• I have verified all of my SDK modules are up-to-date (you can perform a bulk update with go get -u github.com/aws/aws-sdk-go-v2/...)

Describe the bug

I am trying to connect to a mysql instance with IAM using the AWS SDK for go v2 and wrote code as described here and when I make queries I get back the error tls: failed to verify certificate: x509: certificate signed by unknown authority

I was able to follow the comment seen here aws/aws-sdk-go#1248 (comment) and do something similar to handle certs manually and got it to work, but it seems like the kind of thing that could be handled by the sdk (or if that's not possible for some reason, it should be in the documentation)

Expected Behavior

I would expect the listed documentation to be enough to make a connection to mysql without a certificate error

Current Behavior

Following documentation to connect to mysql with IAM with the aws-sdk-go-v2 results in the following error
tls: failed to verify certificate: x509: certificate signed by unknown authority

Reproduction Steps

Using 8.0.mysql_aurora.3.05.2 and github.com/aws/aws-sdk-go-v2 v1.30.0

This following code (taken from aws docs) results in the error:

package main
                
import (
     "context"
     "database/sql"
     "fmt"

     "github.com/aws/aws-sdk-go-v2/config"
     "github.com/aws/aws-sdk-go-v2/feature/rds/auth"
     _ "github.com/go-sql-driver/mysql"
)

func main() {

     var dbName string = "DatabaseName"
     var dbUser string = "DatabaseUser"
     var dbHost string = "mysqldb.123456789012.us-east-1.rds.amazonaws.com"
     var dbPort int = 3306
     var dbEndpoint string = fmt.Sprintf("%s:%d", dbHost, dbPort)
     var region string = "us-east-1"

    cfg, err := config.LoadDefaultConfig(context.TODO())
    if err != nil {
    	panic("configuration error: " + err.Error())
    }

    authenticationToken, err := auth.BuildAuthToken(
    	context.TODO(), dbEndpoint, region, dbUser, cfg.Credentials)
    if err != nil {
	    panic("failed to create authentication token: " + err.Error())
    }

    dsn := fmt.Sprintf("%s:%s@tcp(%s)/%s?tls=true&allowCleartextPasswords=true",
        dbUser, authenticationToken, dbEndpoint, dbName,
    )

    db, err := sql.Open("mysql", dsn)
    if err != nil {
        panic(err)
    }

    err = db.Ping()
    if err != nil {
        panic(err)
    }
}

Possible Solution

Changing the following fixes it:

• define a function to RegisterTLSConfig

func RegisterRDSMysqlCerts(c *http.Client) error {
	resp, err := c.Get("https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem")
	if err != nil {
		return err
	}

	pem, err := io.ReadAll(resp.Body)
	if err != nil {
		return err
	}

	rootCertPool := x509.NewCertPool()
	if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
		return err
	}

	err = mysql.RegisterTLSConfig("rds", &tls.Config{RootCAs: rootCertPool, InsecureSkipVerify: true})
	if err != nil {
		return err
	}
	return nil
}

• then call it before sql.Open:

	err = RegisterRDSMysqlCerts(http.DefaultClient)
	if err != nil {
		panic(err)
	}

• then set tls=rds in the datasourcename arg for sql.Open

It does feel like maybe this is the kind of thing that could happen in the sdk when you call buildAuthToken, or potentially in a helper function that you reference first and appears in documentation.

Additional Information/Context

No response

AWS Go SDK V2 Module Versions Used

github.com/aws/aws-sdk-go-v2 v1.30.0

Compiler and Version used

go version go1.22.4 darwin/arm64

Operating System and version

macOS Sonoma Version 14.5

[RanVaknin]

Hi @sarahzinger ,

Thanks for reaching out. This is indeed interesting.
Only the RDS team itself has access to edit the doc you sent.

Just to clarify the title

RDS BuildAuthToken returns certificate error when using code specified in documentation

The BuildAuthToken function does not return a certificate error. All it does is generate a presigned URL scoped with the correct credentials so you can access your RDS database that way. The TLS cert error is related to the certificate provided by the RDS server itself and not the SDK.

I think we can add further customization to the RDS signer to create a function that retrieves the certificate pool and registers it similar to the workaround. Additionally I will reach out to the RDS team to clarify this step.

Thanks again,
Ran~