mysql-mcp-server: Add IAM database authentication support (parity with postgres pgwire_iam)

[jacksonwilliamsva]

Feature Request

The postgres-mcp-server supports IAM database authentication via the pgwire_iam connection method. The mysql-mcp-server has no equivalent — it only supports Secrets Manager credentials for direct connections and RDS Data API for Aurora.

Use Case

Data analysts connecting to standard MySQL RDS instances in private subnets via SSM port forwarding. IAM DB auth would eliminate the need for static credentials in Secrets Manager and tie database access directly to IAM identity (via IAM Identity Center SSO).

Current Workaround

Using Secrets Manager with shared read-only service account credentials. This works but means managing static passwords rather than leveraging IAM-native authentication.

Proposed Solution

Add a connection method (e.g. --iam-auth) that:

1. Uses boto3 rds_client.generate_db_auth_token() to generate a temporary auth token
2. Passes the token as the password to asyncmy with SSL enabled
3. Handles token refresh for the connection pool (tokens expire after 15 minutes, though established connections survive past expiry)

The MySQL user would be created with AWSAuthenticationPlugin:

CREATE USER 'analyst' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
GRANT SELECT ON mydb.* TO 'analyst'@'%';
ALTER USER 'analyst'@'%' REQUIRE SSL;

Scope

• Standard MySQL RDS (not just Aurora)
• Compatible with IAM Identity Center SSO temporary credentials
• Connection pool token refresh strategy (e.g. refresh on new connection creation, or fixed pool size with upfront connections)

References

• IAM database authentication for MySQL
• postgres-mcp-server pgwire_iam implementation as reference pattern