chore: add required permissions to multiaz IAM user

karenc-bq · karenc-bq · commit 3621071bee35 · 2025-11-04T21:46:32.000-08:00
diff --git a/docs/using-the-jdbc-driver/using-plugins/UsingTheIamAuthenticationPlugin.md b/docs/using-the-jdbc-driver/using-plugins/UsingTheIamAuthenticationPlugin.md
@@ -36,7 +36,9 @@ IAM database authentication use is limited to certain database engines. For more
 3. [Create a database account](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html) using AWS IAM database authentication. This will be the user specified in the connection string or connection properties.
     1. Connect to your database of choice using primary logins.
         1. For a MySQL database, use the following command to create a new user:<br>
-           `CREATE USER example_user_name IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';`
+           `CREATE USER example_user_name IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';`<br>
+           You might also need to grant extra permissions to the IAM user when connecting to RDS Multi-AZ deployments:<br>
+           ```GRANT REPLICATION CLIENT ON *.* TO example_user_name@`%`;```
         2. For a PostgreSQL database, use the following command to create a new user:<br>
            `CREATE USER db_userx;
            GRANT rds_iam TO db_userx;`
diff --git a/wrapper/src/main/java/software/amazon/jdbc/hostlistprovider/RdsHostListProvider.java b/wrapper/src/main/java/software/amazon/jdbc/hostlistprovider/RdsHostListProvider.java
@@ -370,7 +370,7 @@ protected List<HostSpec> queryForTopology(final Connection conn) throws SQLExcep
          final ResultSet resultSet = stmt.executeQuery(this.topologyQuery)) {
       return processQueryResults(resultSet);
     } catch (final SQLSyntaxErrorException e) {
-      throw new SQLException(Messages.get("RdsHostListProvider.invalidQuery"), e);
+      throw new SQLException(Messages.get("RdsHostListProvider.invalidQuery", new Object[] { e.getMessage() }), e);
     } finally {
       if (networkTimeout == 0 && !conn.isClosed()) {
         conn.setNetworkTimeout(networkTimeoutExecutor, networkTimeout);
diff --git a/wrapper/src/main/java/software/amazon/jdbc/hostlistprovider/RdsMultiAzDbClusterListProvider.java b/wrapper/src/main/java/software/amazon/jdbc/hostlistprovider/RdsMultiAzDbClusterListProvider.java
@@ -91,7 +91,7 @@ protected List<HostSpec> queryForTopology(final Connection conn) throws SQLExcep
       final ResultSet topologyResultSet = stmt.executeQuery(this.topologyQuery);
       return processTopologyQueryResults(topologyResultSet, writerNodeId);
     } catch (final SQLSyntaxErrorException e) {
-      throw new SQLException(Messages.get("RdsHostListProvider.invalidQuery"), e);
+      throw new SQLException(Messages.get("RdsHostListProvider.invalidQueryMultiAz", new Object[] { e.getMessage() }), e);
     } finally {
       if (networkTimeout == 0 && !conn.isClosed()) {
         conn.setNetworkTimeout(networkTimeoutExecutor, networkTimeout);
diff --git a/wrapper/src/main/resources/aws_advanced_jdbc_wrapper_messages.properties b/wrapper/src/main/resources/aws_advanced_jdbc_wrapper_messages.properties
@@ -37,7 +37,8 @@ RdsHostListProvider.invalidPattern=Invalid value for the 'clusterInstanceHostPat
 RdsHostListProvider.invalidTopology=The topology query returned an invalid topology - no writer instance detected.
 RdsHostListProvider.suggestedClusterId=ClusterId ''{0}'' is suggested for url ''{1}''.
 RdsHostListProvider.parsedListEmpty=Can''t parse connection string: ''{0}''
-RdsHostListProvider.invalidQuery=Error obtaining host list. Provided database might not be an Aurora Db cluster
+RdsHostListProvider.invalidQuery=Error obtaining host list. Provided database might not be an Aurora Db cluster: ''{0}''
+RdsHostListProvider.invalidQueryMultiAz=Error obtaining host list. Provided database might not be an RDS Multi-AZ Db cluster: ''{0}''
 RdsHostListProvider.errorGettingHostRole=An error occurred while obtaining the connected host's role. This could occur if the connection is broken or if you are not connected to an Aurora database.
 RdsHostListProvider.errorIdentifyConnection=An error occurred while obtaining the connection's host ID.
 RdsHostListProvider.errorGettingNetworkTimeout=An error occurred while getting the connection network timeout: {0}
diff --git a/wrapper/src/test/java/integration/util/AuroraTestUtility.java b/wrapper/src/test/java/integration/util/AuroraTestUtility.java
@@ -1902,6 +1902,7 @@ public void addAuroraAwsIamUser(
           } else {
             stmt.execute("GRANT ALL PRIVILEGES ON `%`.* TO '" + dbUser + "'@'%';");
           }
+          stmt.execute("GRANT REPLICATION CLIENT ON *.* TO '" + dbUser + "'@'%';");
 
           // BG switchover status needs it.
           stmt.execute("GRANT SELECT ON mysql.* TO '" + dbUser + "'@'%';");

Original file line number	Diff line number	Diff line change
`@@ -1902,6 +1902,7 @@ public void addAuroraAwsIamUser(`
`1902`	`1902`	`} else {`
`1903`	`1903`	stmt.execute("GRANT ALL PRIVILEGES ON `%`.* TO '" + dbUser + "'@'%';");
`1904`	`1904`	`}`
	`1905`	`+ stmt.execute("GRANT REPLICATION CLIENT ON . TO '" + dbUser + "'@'%';");`
`1905`	`1906`
`1906`	`1907`	`// BG switchover status needs it.`
`1907`	`1908`	`stmt.execute("GRANT SELECT ON mysql.* TO '" + dbUser + "'@'%';");`