Connecting to your MariaDB DB instance on Amazon RDS with SSL/TLS from the MySQL command-line client (encrypted) - Amazon Relational Database Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Connecting to your MariaDB DB instance on Amazon RDS with SSL/TLS from the MySQL command-line client (encrypted)

The mysql client program parameters are slightly different if you are using the MySQL 5.7 version, the MySQL 8.0 version, or the MariaDB version.

To find out which version you have, run the mysql command with the --version option. In the following example, the output shows that the client program is from MariaDB.

$ mysql --version
mysql  Ver 15.1 Distrib 10.5.15-MariaDB, for osx10.15 (x86_64) using readline 5.1

Most Linux distributions, such as Amazon Linux, CentOS, SUSE, and Debian have replaced MySQL with MariaDB, and the mysql version in them is from MariaDB.

To connect to your DB instance using SSL/TLS, follow these steps:

To connect to a DB instance with SSL/TLS using the MySQL command-line client

  1. Download a root certificate that works for all Amazon Web Services Regions.

    For information about downloading certificates, see Using SSL/TLS to encrypt a connection to a DB instance or cluster.

  2. Use a MySQL command-line client to connect to a DB instance with SSL/TLS encryption. For the -h parameter, substitute the DNS name (endpoint) for your DB instance. For the --ssl-ca parameter, substitute the SSL/TLS certificate file name. For the -P parameter, substitute the port for your DB instance. For the -u parameter, substitute the user name of a valid database user, such as the master user. Enter the master user password when prompted.

    The following example shows how to launch the client using the --ssl-ca parameter using the MariaDB client:

    mysql -h myinstance.123456789012.rds-cn-north-1.amazonaws.com --ssl-ca=global-bundle.pem --ssl -P 3306 -u myadmin -p

    To require that the SSL/TLS connection verifies the DB instance endpoint against the endpoint in the SSL/TLS certificate, enter the following command:

    mysql -h myinstance.123456789012.rds-cn-north-1.amazonaws.com --ssl-ca=global-bundle.pem --ssl-verify-server-cert -P 3306 -u myadmin -p

    The following example shows how to launch the client using the --ssl-ca parameter using the MySQL 5.7 client or later:

    mysql -h myinstance.123456789012.rds-cn-north-1.amazonaws.com --ssl-ca=global-bundle.pem --ssl-mode=REQUIRED -P 3306 -u myadmin -p

  3. Enter the master user password when prompted.

You should see output similar to the following.

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 31
Server version: 10.6.10-MariaDB-log Source distribution
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
  
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>