open-vault/website/source/docs/secrets/databases/mysql-maria.html.md

---
layout: "docs"
page_title: "MySQL/MariaDB Database Plugin - Database Secret Backend"
sidebar_current: "docs-secrets-databases-mysql-maria"
description: |-
  The MySQL/MariaDB plugin for Vault's Database backend generates database credentials to access MySQL and MariaDB servers.
---

# MySQL/MariaDB Database Plugin

Name: `mysql-database-plugin`, `mysql-aurora-database-plugin`, `mysql-rds-database-plugin`,
`mysql-legacy-database-plugin`

The MySQL Database Plugin is one of the supported plugins for the Database
backend. This plugin generates database credentials dynamically based on
configured roles for the MySQL database.

This plugin has a few different instances built into vault, each instance is for
a slightly different MySQL driver. The only difference between these plugins is
the length of usernames generated by the plugin as different versions of mysql
accept different lengths. The available plugins are:

 - mysql-database-plugin
 - mysql-aurora-database-plugin
 - mysql-rds-database-plugin
 - mysql-legacy-database-plugin

See the [Database Backend](/docs/secrets/databases/index.html) docs for more
information about setting up the Database Backend.

## Quick Start

After the Database Backend is mounted you can configure a MySQL connection
by specifying this plugin as the `"plugin_name"` argument. Here is an example
configuration:

```
$ vault write database/config/mysql \
    plugin_name=mysql-database-plugin \
    connection_url="root:mysql@tcp(127.0.0.1:3306)/" \
    allowed_roles="readonly"

The following warnings were returned from the Vault server:
* Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any.
```

Once the MySQL connection is configured we can add a role:

```
$ vault write database/roles/readonly \
    db_name=mysql \
    creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
    default_ttl="1h" \
    max_ttl="24h"

Success! Data written to: database/roles/readonly
```

This role can now be used to retrieve a new set of credentials by querying the
"database/creds/readonly" endpoint.

## API

The full list of configurable options can be seen in the [MySQL database
plugin API](/api/secret/databases/mysql-maria.html) page.

For more information on the Database secret backend's HTTP API please see the [Database secret
backend API](/api/secret/databases/index.html) page.

## Examples

### Using wildcards in grant statements

MySQL supports using wildcards in grant statements. These are sometimes needed
by applications which expect access to a large number of databases inside MySQL.
This can be realized by using a wildcard in the grant statement. For example if
you want the user created by Vault to have access to all databases starting with
`fooapp_` you could use the following creation statement:

```
CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON `fooapp\_%`.* TO '{{name}}'@'%';
```

MySQL expects the part in which the wildcards are to be placed inside backticks.
If you want to add this creation statement to Vault via the Vault CLI you cannot
simply paste the above statement on the CLI because the shell will interpret the
text between the backticks as something that must be executed. The easiest way to
get around this is to encode the creation statement as Base64 and feed this to Vault.
For example:

```
$ vault write database/roles/readonly \
    db_name=mysql \
    creation_statements="Q1JFQVRFIFVTRVIgJ3t7bmFtZX19J0AnJScgSURFTlRJRklFRCBCWSAne3twYXNzd29yZH19JzsgR1JBTlQgU0VMRUNUIE9OIGBmb29hcHBcXyVgLiogVE8gJ3t7bmFtZX19J0AnJSc7" \
    default_ttl="1h" \
    max_ttl="24h"
```