Requesting MySQL access

P0 recommends using the P0 CLI to request access to a MySQL instance (or cluster).

Via the P0 CLI

Prerequisites:

• An installed MySQL P0 integration on the database

• P0 access policies that allow you to request access to the MySQL database instance

• P0 CLI version 0.25.0 or higher

• An open CloudShell terminal in the database's VPC

  • Open a CloudShell instance by navigating to the database's page within the "RDS" service in the AWS cloud console, then choosing "CloudShell" under "Connectivity & security", then clicking "Launch CloudShell"

Listing requestable fields

You can list requestable instances, roles, and databases by executing

p0 ls mysql role instance                        # lists instances and clusters
p0 ls mysql role name --instance <instance>      # lists roles
p0 ls mysql role database --instance <instance>  # lists databases within an instance 

Making a request

From the CLI, execute

p0 aws rds generate-db-auth-token --arch mysql --role <role> --instance <instance>

where <role> is the name of the role you want to access, and <instance> is the identifier configured in P0 when the instance was installed in P0.

After executing p0 aws rds generate-db-auth-token, P0 will create an access request. Have the request approved. Once it is approved, the command will emit instructions to connect to the instance.

Example:

Copy these instructions.

Now, navigate to the open CloudShell terminal, and execute these instructions. You will receive access to the database.

Troubleshooting

Access denial

If, after following the steps above, you encounter:

this is typically due to the role missing permissions on the requested database.

MySQL requires that your user have at least one active role with permissions on the requested database. In this case, the role you've requested may not have these permissions.

You can still access the MySQL instance by executing the mysql CLI with the database omitted:

You may list the databases that you can access with: