feat: Add AWS IAM authentication support for MySQL

- Add @aws-sdk/rds-signer dependency for RDS auth token generation - Extend CLI arguments with --aws-iam-auth and --aws-region options - Implement automatic AWS RDS auth token generation in MySQL adapter - Auto-enable SSL for AWS IAM authentication (required by RDS) - Add comprehensive error handling for AWS credential issues - Update documentation with AWS IAM authentication examples - Maintain backward compatibility with existing authentication methods Resolves the need for secure AWS RDS connections without hardcoded passwords.
2025-12-09 21:12:57 +08:00 · 2025-07-16 17:20:37 +02:00
parent 70d1b96f2c
commit 72325c95a3
6 changed files with 1463 additions and 9 deletions
--- a/docs/docs/connection-reference.md
+++ b/docs/docs/connection-reference.md
@@ -75,18 +75,29 @@ node dist/src/index.js --postgresql --host dbserver.example.com --database sampl
 | `--mysql` | Specifies MySQL mode | - | Yes |
 | `--host` | MySQL hostname or IP | - | Yes |
 | `--database` | Database name | - | Yes |
-| `--user` | MySQL username | - | No |
-| `--password` | MySQL password | - | No |
+| `--user` | MySQL username | - | No* |
+| `--password` | MySQL password | - | No* |
 | `--port` | MySQL port | 3306 | No |
 | `--ssl` | Use SSL connection (true/false or object) | false | No |
 | `--connection-timeout` | Connection timeout in ms | 30000 | No |
+| `--aws-iam-auth` | Enable AWS IAM authentication | false | No |
+| `--aws-region` | AWS region for RDS IAM auth | - | No** |

-### Example
+*Required for standard authentication  
+**Required when using `--aws-iam-auth`
+
+### Standard Authentication Example

 ```bash
 node dist/src/index.js --mysql --host localhost --database sample_db --port 3306 --user root --password secret
 ```

+### AWS IAM Authentication Example
+
+```bash
+node dist/src/index.js --mysql --aws-iam-auth --host rds-endpoint.region.rds.amazonaws.com --database sample_db --user aws-username --aws-region us-east-1
+```
+
 ## Environment Variables

 Instead of specifying sensitive credentials on the command line, you can use environment variables:
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -23,6 +23,7 @@
        "clean": "rimraf dist"
    },
    "dependencies": {
+        "@aws-sdk/rds-signer": "^3.0.0",
        "@modelcontextprotocol/sdk": "1.9.0",
        "mssql": "11.0.1",
        "mysql2": "^3.14.1",
--- a/readme.md
+++ b/readme.md
@@ -94,6 +94,8 @@ Optional parameters:

 ### MySQL Database

+#### Standard Authentication
+
 To use with a MySQL database:

 ```
@@ -111,6 +113,23 @@ Optional parameters:
 - `--ssl`: Enable SSL connection (true/false or object)
 - `--connection-timeout`: Connection timeout in milliseconds (default: 30000)

+#### AWS IAM Authentication
+
+For Amazon RDS MySQL instances with IAM database authentication:
+
+```
+node dist/src/index.js --mysql --aws-iam-auth --host <rds-endpoint> --database <database-name> --user <aws-username> --aws-region <region>
+```
+
+Required parameters:
+- `--host`: RDS endpoint hostname
+- `--database`: Name of the database
+- `--aws-iam-auth`: Enable AWS IAM authentication
+- `--user`: AWS IAM username (also the database user)
+- `--aws-region`: AWS region where RDS instance is located
+
+Note: SSL is automatically enabled for AWS IAM authentication
+
 ## Configuring Claude Desktop

 ### Direct Usage Configuration
@@ -164,6 +183,19 @@ If you installed the package globally, configure Claude Desktop with:
        "--user", "your-username",
        "--password", "your-password"
      ]
+    },
+    "mysql-aws": {
+      "command": "npx",
+      "args": [
+        "-y",
+        "@executeautomation/database-server",
+        "--mysql",
+        "--aws-iam-auth",
+        "--host", "your-rds-endpoint.region.rds.amazonaws.com",
+        "--database", "your-database-name",
+        "--user", "your-aws-username",
+        "--aws-region", "us-east-1"
+      ]
    }
  }
 }
@@ -216,6 +248,18 @@ For local development, configure Claude Desktop to use your locally built versio
        "--user", "your-username",
        "--password", "your-password"
      ]
+    },
+    "mysql-aws": {
+      "command": "node",
+      "args": [
+        "/absolute/path/to/mcp-database-server/dist/src/index.js",
+        "--mysql",
+        "--aws-iam-auth",
+        "--host", "your-rds-endpoint.region.rds.amazonaws.com",
+        "--database", "your-database-name",
+        "--user", "your-aws-username",
+        "--aws-region", "us-east-1"
+      ]
    }
  }
 }
--- a/src/db/mysql-adapter.ts
+++ b/src/db/mysql-adapter.ts
@@ -1,5 +1,6 @@
 import { DbAdapter } from "./adapter.js";
 import mysql from "mysql2/promise";
+import { Signer } from "@aws-sdk/rds-signer";

 /**
 * MySQL database adapter implementation
@@ -9,6 +10,8 @@ export class MysqlAdapter implements DbAdapter {
  private config: mysql.ConnectionOptions;
  private host: string;
  private database: string;
+  private awsIamAuth: boolean;
+  private awsRegion?: string;

  constructor(connectionInfo: {
    host: string;
@@ -18,9 +21,13 @@ export class MysqlAdapter implements DbAdapter {
    port?: number;
    ssl?: boolean | object;
    connectionTimeout?: number;
+    awsIamAuth?: boolean;
+    awsRegion?: string;
  }) {
    this.host = connectionInfo.host;
    this.database = connectionInfo.database;
+    this.awsIamAuth = connectionInfo.awsIamAuth || false;
+    this.awsRegion = connectionInfo.awsRegion;
    this.config = {
      host: connectionInfo.host,
      database: connectionInfo.database,
@@ -33,8 +40,15 @@ export class MysqlAdapter implements DbAdapter {
    if (typeof connectionInfo.ssl === 'object' || typeof connectionInfo.ssl === 'string') {
      this.config.ssl = connectionInfo.ssl;
    } else if (connectionInfo.ssl === true) {
+      // For AWS IAM authentication, configure SSL appropriately for RDS
+      if (this.awsIamAuth) {
+        this.config.ssl = {
+          rejectUnauthorized: false // AWS RDS handles certificate validation
+        };
+      } else {
        this.config.ssl = {};
      }
+    }
    // Validate port
    if (connectionInfo.port && typeof connectionInfo.port !== 'number') {
      const parsedPort = parseInt(connectionInfo.port as any, 10);
@@ -47,19 +61,76 @@ export class MysqlAdapter implements DbAdapter {
    console.error(`[DEBUG] MySQL connection will use port: ${this.config.port}`);
  }

+  /**
+   * Generate AWS RDS authentication token
+   */
+  private async generateAwsAuthToken(): Promise<string> {
+    if (!this.awsRegion) {
+      throw new Error("AWS region is required for IAM authentication");
+    }
+    
+    if (!this.config.user) {
+      throw new Error("AWS username is required for IAM authentication");
+    }
+    
+    try {
+      console.error(`[INFO] Generating AWS auth token for region: ${this.awsRegion}, host: ${this.host}, user: ${this.config.user}`);
+      
+      const signer = new Signer({
+        region: this.awsRegion,
+        hostname: this.host,
+        port: this.config.port || 3306,
+        username: this.config.user,
+      });
+      
+      const token = await signer.getAuthToken();
+      console.error(`[INFO] AWS auth token generated successfully`);
+      return token;
+    } catch (err) {
+      console.error(`[ERROR] Failed to generate AWS auth token: ${(err as Error).message}`);
+      throw new Error(`AWS IAM authentication failed: ${(err as Error).message}. Please check your AWS credentials and IAM permissions.`);
+    }
+  }
+
  /**
   * Initialize MySQL connection
   */
  async init(): Promise<void> {
    try {
      console.error(`[INFO] Connecting to MySQL: ${this.host}, Database: ${this.database}`);
+      
+      // Handle AWS IAM authentication
+      if (this.awsIamAuth) {
+        console.error(`[INFO] Using AWS IAM authentication for user: ${this.config.user}`);
+        
+        try {
+          const authToken = await this.generateAwsAuthToken();
+          
+          // Create a new config with the generated token as password
+          const awsConfig = {
+            ...this.config,
+            password: authToken
+          };
+          
+          this.connection = await mysql.createConnection(awsConfig);
+        } catch (err) {
+          console.error(`[ERROR] AWS IAM authentication failed: ${(err as Error).message}`);
+          throw new Error(`AWS IAM authentication failed: ${(err as Error).message}`);
+        }
+      } else {
        this.connection = await mysql.createConnection(this.config);
+      }
+      
      console.error(`[INFO] MySQL connection established successfully`);
    } catch (err) {
      console.error(`[ERROR] MySQL connection error: ${(err as Error).message}`);
+      if (this.awsIamAuth) {
+        throw new Error(`Failed to connect to MySQL with AWS IAM authentication: ${(err as Error).message}. Please verify your AWS credentials, IAM permissions, and RDS configuration.`);
+      } else {
        throw new Error(`Failed to connect to MySQL: ${(err as Error).message}`);
      }
    }
+  }

  /**
   * Execute a SQL query and get all results
--- a/src/index.ts
+++ b/src/index.ts
@@ -46,6 +46,7 @@ if (args.length === 0) {
  logger.error("Usage for SQL Server: node index.js --sqlserver --server <server> --database <database> [--user <user> --password <password>]");
  logger.error("Usage for PostgreSQL: node index.js --postgresql --host <host> --database <database> [--user <user> --password <password> --port <port>]");
  logger.error("Usage for MySQL: node index.js --mysql --host <host> --database <database> [--user <user> --password <password> --port <port>]");
+  logger.error("Usage for MySQL with AWS IAM: node index.js --mysql --aws-iam-auth --host <rds-endpoint> --database <database> --user <aws-username> --aws-region <region>");
  process.exit(1);
 }

@@ -132,7 +133,9 @@ else if (args.includes('--mysql')) {
    password: undefined,
    port: undefined,
    ssl: undefined,
-    connectionTimeout: undefined
+    connectionTimeout: undefined,
+    awsIamAuth: false,
+    awsRegion: undefined
  };
  // Parse MySQL connection parameters
  for (let i = 0; i < args.length; i++) {
@@ -153,6 +156,10 @@ else if (args.includes('--mysql')) {
      else connectionInfo.ssl = sslVal;
    } else if (args[i] === '--connection-timeout' && i + 1 < args.length) {
      connectionInfo.connectionTimeout = parseInt(args[i + 1], 10);
+    } else if (args[i] === '--aws-iam-auth') {
+      connectionInfo.awsIamAuth = true;
+    } else if (args[i] === '--aws-region' && i + 1 < args.length) {
+      connectionInfo.awsRegion = args[i + 1];
    }
  }
  // Validate MySQL connection info
@@ -160,6 +167,21 @@ else if (args.includes('--mysql')) {
    logger.error("Error: MySQL requires --host and --database parameters");
    process.exit(1);
  }
+  
+  // Additional validation for AWS IAM authentication
+  if (connectionInfo.awsIamAuth) {
+    if (!connectionInfo.user) {
+      logger.error("Error: AWS IAM authentication requires --user parameter");
+      process.exit(1);
+    }
+    if (!connectionInfo.awsRegion) {
+      logger.error("Error: AWS IAM authentication requires --aws-region parameter");
+      process.exit(1);
+    }
+    // Automatically enable SSL for AWS IAM authentication (required)
+    connectionInfo.ssl = true;
+    logger.info("AWS IAM authentication enabled - SSL automatically configured");
+  }
 } else {
  // SQLite mode (default)
  dbType = 'sqlite';