Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

MySQL upgrade to 8.4.3 unknown authentication method

2

We have been informed by AWS that we need to upgrade our databases from MySQL 8.0.44 to a minimum of 8.4.3 by the end of July, 2026, or we need to go to extended support, which would give us another 3 years at 8.0.44.

Having run the pre-checks to make sure that the database can be upgraded, I created a read replica of the database, and promoted it.

Then I tested whether our applications could connect to this duplicate using the same endpoint methods we currently use. Obviously, I used the name of the duplicate, and the endpoint connection test worked fine. At this point, the duplicate was still using MySQL 8.0.44; I was merely testing to make sure I could connect to it, and that I hadn't missed something yet.

Then I performed the upgrade on the duplicate database (not the original), and updated the parameter group for it (see below) and tested the connection again, using the exact same test function I had used previously.

What I got in response was: SQLSTATE[HY000] [2054] The server requested authentication method unknown to the client

Now, the duplicate database only has a few differences at this point. It is MySQL version 8.4.3, and the parameter group is different. For the parameter group, I created a new parameter group, specifically for MySQL 8.4.3, and changed the parameter "authentication_policy" to *:mysql_native_password, as the mysql.users are all using that in the original database. Also, the parameter "mysql_native_password" is set to "ON". (Yes, I understand it's deprecated in 8.4.3 but my assumption was that the parameter group change would handle that. That is apparently not the case. Or I'm missing something.)

At this point, I am at a loss. While I can connect to the updated database using DBeaver, it is not accessible to the applications that would rely on a connection.

What am I missing here?

Topics
Migration & ModernizationDatabase
Tags
Aurora MySQLAWS Database Migration Service
Language
English
asked a month ago313 views
2 Answers
6

The issue is that in MySQL 8.4 LTS, the mysql_native_password plugin is not only deprecated but is disabled by default.

Even if you set your authentication_policy to include it, the server cannot use the method because the underlying plugin isn't loaded. DBeaver likely succeeds because it defaults to a newer driver/mechanism, whereas your application (likely PHP/PDO based on the error code) is strictly trying to use the method assigned to the user.

Steps to Resolve:

Edit your MySQL 8.4 Parameter Group.

  • Locate the parameter: mysql_native_password.
  • Change its value from OFF (or 0) to ON (or 1).
  • Save the changes.
  • Reboot your RDS instance (this is a static parameter and requires a manual reboot to take effect).

Why this happens:

In MySQL 8.0, the plugin was built-in and active. In 8.4, it was moved to a separate dynamic plugin that must be explicitly enabled via the configuration before the authentication_policy can utilize it.

"Beginning with MySQL 8.4.0, the deprecated mysql_native_password authentication plugin is no longer enabled by default. To enable it, start the server with --mysql-native-password=ON..."

source: https://dev.mysql.com/doc/refman/8.4/en/mysql-nutshell.html

PS: Since this method is deprecated, plan to migrate your application clients and users to caching_sha2_password before the next major version release.

According to the MySQL 8.4 Release Notes -> https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-0.html , the mysql_native_password plugin is disabled by default. Setting the authentication_policy is not enough; you must explicitly enable the plugin by setting the mysql_native_password parameter to 1 (ON) in your RDS Parameter Group and rebooting the instance.

see also:

EXPERT
answered a month ago
  • PGearman
    a month ago

    I had forgotten to mention this, but the "mysql_native_password" setting in the parameter group is set to "ON", so I don't think that can be the fix. Or at least not the whole fix.

  • Florian Turnwald EXPERT
    a month ago

    Check if the Parameter Group status shows 'pending-reboot' in the RDS console. Since mysql_native_password is a static parameter, it requires a manual reboot to actually take effect.

    You can verify the live status by running this command in DBeaver: SHOW VARIABLES LIKE 'mysql_native_password';

    If it returns OFF, the engine hasn't applied the change yet. If it's ON, check if your authentication_policy uses the 8.4 syntax: mysql_native_password .

  • PGearman
    a month ago

    Well, I think I may have found what the problem is. If I connect the to the database that's on MySQL 8.4.3, and run SHOW VARIABLES LIKE 'mysql_native_password', it doesn't return with anything. Not even "OFF". Just no variable by that name. And that's after rebooting the database. The parameter group attached to that database has it set to "ON", and the authentication_policy is set to *:mysql_native_password, but according to the command results in DBeaver, it's not even there.

  • Florian Turnwald EXPERT
    a month ago

    I noticed you mentioned that the variable doesn't even show up as 'OFF' in DBeaver. This suggests the engine hasn't initialized the plugin at all. Could you double-check the Status of the Parameter Group in your RDS console? Ensure it explicitly says 'In-sync'. If it says 'Pending-reboot', the changes haven't been applied yet, even if you performed a manual restart previously. Sometimes a specific sequence is required (Apply Change -> Verify Pending Status -> Reboot) for static parameters like mysql_native_password to be recognized by the engine.

  • PGearman
    a month ago

    It does say "In Sync". For what it's worth, I checked the "non-upgraded" database, which is still at MySQL 8.0.4 and it shows the same lack of a variable, although that may just be because mysql_native_password is the default there.

6

If the parameter is already ON and the reboot is confirmed, check the specific user account in the database:

SELECT user, host, plugin FROM mysql.user WHERE user = 'your_app_user';

If the plugin column shows caching_sha2_password instead of mysql_native_password, you may need to explicitly revert the user's authentication method:

ALTER USER 'your_app_user'@'%' IDENTIFIED WITH mysql_native_password BY 'your_password';

This ensures the individual account matches your application's requirements, even if the global server plugin is now active.

EXPERT
answered a month ago
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content