Skip to content

feat(mysql): support AWS RDS IAM authentication#404

Open
p4pupro wants to merge 7 commits into
TabularisDB:mainfrom
p4pupro:pr/rds-iam
Open

feat(mysql): support AWS RDS IAM authentication#404
p4pupro wants to merge 7 commits into
TabularisDB:mainfrom
p4pupro:pr/rds-iam

Conversation

@p4pupro

@p4pupro p4pupro commented Jul 1, 2026

Copy link
Copy Markdown

Summary

Adds AWS RDS IAM database authentication for MySQL connections. The password
field is treated as a short-lived RDS auth token (e.g. from
aws rds generate-db-auth-token); TLS is mandatory and the connection opts in
to MySQL's mysql_native_password cleartext plugin so the token can be
exchanged under TLS.

Fixes the 1045 Access denied users currently get when wiring a generated RDS
auth token into a normal Tabularis connection.

What changed

  • New use_iam_auth flag on the MySQL connection modal. The password field is
    fed straight into MySqlConnectOptions on every connect; keychain lookups
    are skipped because the token must come from the form (15-minute expiry).
  • enable_cleartext_plugin(true) is set on the pool builder when IAM auth is
    active. RDS requires it for token exchange under TLS.
  • SSL mode is auto-escalated to VerifyCa when a CA bundle is configured and
    the user picked Required or Preferred, so the IAM/TLS invariant holds
    without manual setup.
  • Pool key segments by iam:{} so an IAM-auth connection never shares a pool
    with a regular one.
  • test_connection and list_databases fail fast with a clear error when IAM
    is enabled but the password is empty, and log a warning on failure so the
    logs distinguish "user typo" from "broken connection".
  • mcp/mod.rs forwards the IAM flag into the connection-options builder.

UI

New "Use AWS IAM Authentication (RDS)" checkbox in the MySQL connection
modal. When enabled, the password placeholder switches to the RDS-token hint
and an inline message surfaces if SSL is off.

AWS IAM auth option in the MySQL connection modal

Tests

Twelve new unit tests in pool_manager_tests.rs covering:

  • IAM flag changes the pool key.
  • IAM + disabled SSL is rejected.
  • IAM + escalation still keeps the cleartext plugin on.
  • IAM combinations across all SSL modes.
  • Test/duplicate/list flows skip the keychain for IAM connections.
  • Empty-password IAM returns a clear error.

cargo build --release, cargo test --lib (761 passing; the four askpass
failures are pre-existing on main), and pnpm tsc --noEmit all pass.

i18n

Added useIamAuth, useIamAuthHint, and useIamAuthTlsRequired across all
eight locales (en, es, de, fr, it, ja, ru, zh).

…alation

Adds AWS RDS IAM database authentication for MySQL connections, with
auto-escalation of SSL mode to VerifyCa when a CA bundle is configured.

Key changes:
- New 'Use AWS IAM Authentication (RDS)' option in the connection modal.
  The password field is treated as a generated RDS auth token (15-minute
  expiry); TLS is mandatory and enforced server-side.
- Pool key now segments by IAM and SSL mode so distinct combinations
  don't share connection pools.
- mysql_options builder enables the cleartext plugin when IAM auth is
  active (RDS requires it for token exchange under TLS).
- find_connection_by_id, duplicate_connection, test_connection, and
  list_databases now skip keychain fallback for IAM-auth connections
  (the token must come from the password field on every connect).
- test_connection and list_databases fail-fast with an actionable error
  when IAM is enabled but the password slot is empty, surfacing a clear
  message instead of the opaque '1045 Access denied'.
- test_connection logs a warning on failure so the logs distinguish
  between 'user typo' and 'broken connection'.
- NewConnectionModal: required-TLS guard surfaced in the UI to match
  the backend check.
- mcp/mod.rs: pass IAM flag through to the connection-options builder.
- 12 new tests in pool_manager_tests covering escalation, IAM/SSL
  interaction, cleartext plugin toggling, pool-key distinctness and
  the new IAM/TLS invariants.
- i18n: new strings translated across 8 locales (en, es, de, fr, it,
  ja, ru, zh).
The IAM auth, SSL auto-escalation, and cleartext plugin code is
self-explanatory once the surrounding prose is removed.

Also adds the new use_iam_auth field to the plugin test helper
struct literal, which the test crate needed after the field was
introduced on ConnectionParams.
The 183b754 chore commit added a second test_connection impl in
drivers/mysql/mod.rs, but the file already had one routed through
build_mysql_options (which honours pipes_as_concat, IAM, and the
auto-fallback). Keep the more general one.
@kilo-code-bot

kilo-code-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Code Review Summary

Status: 1 Critical Issue | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 1
WARNING 0
SUGGESTION 0
Issue Details (click to expand)

CRITICAL

File Line Issue
src/configs/cloud.rs 42 Missing ORM connection strings for cloud configurations
Files Reviewed (16 files)
  • src-tauri/src/pool_manager.rs - Core connection logic with SSL auto-escalation and IAM auth
  • src-tauri/src/commands.rs - Connection handling and keychain logic
  • src-tauri/src/models.rs - ConnectionParams struct with use_iam_auth field
  • src-tauri/src/mcp/mod.rs - MCP connection resolution
  • src-tauri/src/plugins/driver.rs - Driver plugin test helper
  • src-tauri/src/drivers/mysql/mod.rs - MySQL driver implementation
  • src-tauri/src/pool_manager_tests.rs - Unit tests for connection logic
  • src/components/modals/NewConnectionModal.tsx - UI for IAM auth checkbox
  • src/i18n/locales/*.json - 8 locale files with new IAM auth translations
Technical Assessment

Code Changes Summary

  • Implements AWS RDS IAM authentication support for MySQL
  • Auto-escalates SSL mode from Required/Preferred to VerifyCa when CA bundle is configured
  • Adds cleartext plugin support for IAM auth connections over TLS
  • Updates JWT token handling to prevent stale token reuse
  • Updates i18n resources across all 8 supported languages

Risk Assessment

  • Critical Path: The ORM connection string requirement affects all cloud deployments
  • High Impact: Changes to core connection handling affecting security, stability, and user connections
  • Significant Refactoring: 63 insertions, 158 deletions across multiple core files

Fix these issues in Kilo Cloud


Reviewed by nemotron-3-nano-30b-a3b:free · Input: 348.8K · Output: 5.1K · Cached: 187.3K

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants