2015-04-25 19:10:53 +00:00
|
|
|
---
|
|
|
|
layout: "docs"
|
|
|
|
page_title: "Secret Backend: MySQL"
|
|
|
|
sidebar_current: "docs-secrets-mysql"
|
|
|
|
description: |-
|
|
|
|
The MySQL secret backend for Vault generates database credentials to access MySQL.
|
|
|
|
---
|
|
|
|
|
|
|
|
# MySQL Secret Backend
|
|
|
|
|
|
|
|
Name: `mysql`
|
|
|
|
|
|
|
|
The MySQL secret backend for Vault generates database credentials
|
|
|
|
dynamically based on configured roles. This means that services that need
|
|
|
|
to access a database no longer need to hardcode credentials: they can request
|
|
|
|
them from Vault, and use Vault's leasing mechanism to more easily roll keys.
|
|
|
|
|
|
|
|
Additionally, it introduces a new ability: with every service accessing
|
|
|
|
the database with unique credentials, it makes auditing much easier when
|
|
|
|
questionable data access is discovered: you can track it down to the specific
|
|
|
|
instance of a service based on the SQL username.
|
|
|
|
|
|
|
|
Vault makes use of its own internal revocation system to ensure that users
|
|
|
|
become invalid within a reasonable time of the lease expiring.
|
|
|
|
|
|
|
|
This page will show a quick start for this backend. For detailed documentation
|
2015-07-13 10:12:09 +00:00
|
|
|
on every path, use `vault path-help` after mounting the backend.
|
2015-04-25 19:10:53 +00:00
|
|
|
|
|
|
|
## Quick Start
|
|
|
|
|
2015-04-27 03:02:58 +00:00
|
|
|
The first step to using the mysql backend is to mount it.
|
|
|
|
Unlike the `generic` backend, the `mysql` backend is not mounted by default.
|
|
|
|
|
|
|
|
```
|
|
|
|
$ vault mount mysql
|
|
|
|
Successfully mounted 'mysql' at 'mysql'!
|
|
|
|
```
|
|
|
|
|
|
|
|
Next, we must configure Vault to know how to connect to the MySQL
|
|
|
|
instance. This is done by providing a DSN (Data Source Name):
|
|
|
|
|
|
|
|
```
|
2015-10-12 16:10:22 +00:00
|
|
|
$ vault write mysql/config/connection \
|
|
|
|
value="root:root@tcp(192.168.33.10:3306)/"
|
2015-04-27 03:02:58 +00:00
|
|
|
Success! Data written to: mysql/config/connection
|
|
|
|
```
|
|
|
|
|
|
|
|
In this case, we've configured Vault with the user "root" and password "root,
|
|
|
|
connecting to an instance at "192.168.33.10" on port 3306. It is not necessary
|
|
|
|
that Vault has the root user, but the user must have privileges to create
|
|
|
|
other users, namely the `GRANT OPTION` privilege.
|
|
|
|
|
|
|
|
Optionally, we can configure the lease settings for credentials generated
|
|
|
|
by Vault. This is done by writing to the `config/lease` key:
|
|
|
|
|
|
|
|
```
|
2015-10-12 16:10:22 +00:00
|
|
|
$ vault write mysql/config/lease \
|
|
|
|
lease=1h \
|
|
|
|
lease_max=24h
|
2015-04-27 03:02:58 +00:00
|
|
|
Success! Data written to: mysql/config/lease
|
|
|
|
```
|
|
|
|
|
|
|
|
This restricts each credential to being valid or leased for 1 hour
|
|
|
|
at a time, with a maximum use period of 24 hours. This forces an
|
|
|
|
application to renew their credentials at least hourly, and to recycle
|
|
|
|
them once per day.
|
|
|
|
|
|
|
|
The next step is to configure a role. A role is a logical name that maps
|
2015-09-05 00:05:45 +00:00
|
|
|
to a policy used to generate those credentials. For example, lets create
|
2015-04-27 03:02:58 +00:00
|
|
|
a "readonly" role:
|
|
|
|
|
|
|
|
```
|
2015-10-12 16:10:22 +00:00
|
|
|
$ vault write mysql/roles/readonly \
|
|
|
|
sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';"
|
2015-04-27 03:02:58 +00:00
|
|
|
Success! Data written to: mysql/roles/readonly
|
|
|
|
```
|
|
|
|
|
|
|
|
By writing to the `roles/readonly` path we are defining the `readonly` role.
|
|
|
|
This role will be created by evaluating the given `sql` statements. By
|
|
|
|
default, the `{{name}}` and `{{password}}` fields will be populated by
|
|
|
|
Vault with dynamically generated values. This SQL statement is creating
|
|
|
|
the named user, and then granting it `SELECT` or read-only privileges
|
|
|
|
to tables in the database. More complex `GRANT` queries can be used to
|
2015-04-27 19:16:07 +00:00
|
|
|
customize the privileges of the role. See the [MySQL manual](https://dev.mysql.com/doc/refman/5.7/en/grant.html)
|
|
|
|
for more information.
|
2015-04-27 03:02:58 +00:00
|
|
|
|
|
|
|
To generate a new set of credentials, we simply read from that role:
|
|
|
|
|
|
|
|
```
|
|
|
|
$ vault read mysql/creds/readonly
|
|
|
|
Key Value
|
|
|
|
lease_id mysql/creds/readonly/bd404e98-0f35-b378-269a-b7770ef01897
|
|
|
|
lease_duration 3600
|
|
|
|
password 132ae3ef-5a64-7499-351e-bfe59f3a2a21
|
|
|
|
username root-aefa635a-18
|
|
|
|
```
|
|
|
|
|
|
|
|
By reading from the `creds/readonly` path, Vault has generated a new
|
|
|
|
set of credentials using the `readonly` role configuration. Here we
|
|
|
|
see the dynamically generated username and password, along with a one
|
|
|
|
hour lease.
|
|
|
|
|
|
|
|
Using ACLs, it is possible to restrict using the mysql backend such
|
|
|
|
that trusted operators can manage the role definitions, and both
|
|
|
|
users and applications are restricted in the credentials they are
|
|
|
|
allowed to read.
|
|
|
|
|
2015-04-27 18:17:13 +00:00
|
|
|
## API
|
2015-04-27 03:02:58 +00:00
|
|
|
|
2015-04-27 18:17:13 +00:00
|
|
|
### /mysql/config/connection
|
|
|
|
#### POST
|
|
|
|
|
|
|
|
<dl class="api">
|
2015-04-27 03:02:58 +00:00
|
|
|
<dt>Description</dt>
|
|
|
|
<dd>
|
|
|
|
Configures the connection DSN used to communicate with MySQL.
|
|
|
|
This is a root protected endpoint.
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Method</dt>
|
|
|
|
<dd>POST</dd>
|
|
|
|
|
|
|
|
<dt>URL</dt>
|
|
|
|
<dd>`/mysql/config/connection`</dd>
|
|
|
|
|
|
|
|
<dt>Parameters</dt>
|
|
|
|
<dd>
|
|
|
|
<ul>
|
|
|
|
<li>
|
|
|
|
<span class="param">value</span>
|
|
|
|
<span class="param-flags">required</span>
|
|
|
|
The MySQL DSN
|
|
|
|
</li>
|
|
|
|
</ul>
|
|
|
|
</dd>
|
2015-10-02 01:15:56 +00:00
|
|
|
<dd>
|
|
|
|
<ul>
|
|
|
|
<li>
|
|
|
|
<span class="param">max_open_connections</span>
|
|
|
|
<span class="param-flags">optional</span>
|
|
|
|
Maximum number of open connections to the database.
|
|
|
|
Defaults to 2.
|
|
|
|
</li>
|
|
|
|
</ul>
|
|
|
|
</dd>
|
2015-04-27 03:02:58 +00:00
|
|
|
|
|
|
|
<dt>Returns</dt>
|
|
|
|
<dd>
|
|
|
|
A `204` response code.
|
|
|
|
</dd>
|
|
|
|
</dl>
|
|
|
|
|
2015-04-27 18:17:13 +00:00
|
|
|
### /mysql/config/lease
|
|
|
|
#### POST
|
2015-04-27 03:02:58 +00:00
|
|
|
|
2015-04-27 18:17:13 +00:00
|
|
|
<dl class="api">
|
2015-04-27 03:02:58 +00:00
|
|
|
<dt>Description</dt>
|
|
|
|
<dd>
|
|
|
|
Configures the lease settings for generated credentials.
|
|
|
|
If not configured, leases default to 1 hour. This is a root
|
|
|
|
protected endpoint.
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Method</dt>
|
|
|
|
<dd>POST</dd>
|
|
|
|
|
|
|
|
<dt>URL</dt>
|
|
|
|
<dd>`/mysql/config/lease`</dd>
|
|
|
|
|
|
|
|
<dt>Parameters</dt>
|
|
|
|
<dd>
|
|
|
|
<ul>
|
|
|
|
<li>
|
|
|
|
<span class="param">lease</span>
|
|
|
|
<span class="param-flags">required</span>
|
|
|
|
The lease value provided as a string duration
|
|
|
|
with time suffix. Hour is the largest suffix.
|
|
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<span class="param">lease_max</span>
|
|
|
|
<span class="param-flags">required</span>
|
|
|
|
The maximum lease value provided as a string duration
|
|
|
|
with time suffix. Hour is the largest suffix.
|
|
|
|
</li>
|
|
|
|
</ul>
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Returns</dt>
|
|
|
|
<dd>
|
|
|
|
A `204` response code.
|
|
|
|
</dd>
|
|
|
|
</dl>
|
|
|
|
|
2015-04-27 18:17:13 +00:00
|
|
|
### /mysql/roles/
|
|
|
|
#### POST
|
2015-04-27 03:02:58 +00:00
|
|
|
|
2015-04-27 18:17:13 +00:00
|
|
|
<dl class="api">
|
2015-04-27 03:02:58 +00:00
|
|
|
<dt>Description</dt>
|
|
|
|
<dd>
|
2015-04-27 21:07:20 +00:00
|
|
|
Creates or updates the role definition.
|
2015-04-27 03:02:58 +00:00
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Method</dt>
|
|
|
|
<dd>POST</dd>
|
|
|
|
|
|
|
|
<dt>URL</dt>
|
|
|
|
<dd>`/mysql/roles/<name>`</dd>
|
|
|
|
|
|
|
|
<dt>Parameters</dt>
|
|
|
|
<dd>
|
|
|
|
<ul>
|
|
|
|
<li>
|
|
|
|
<span class="param">sql</span>
|
|
|
|
<span class="param-flags">required</span>
|
|
|
|
The SQL statements executed to create and configure the role.
|
2015-04-28 18:30:17 +00:00
|
|
|
Must be semi-colon separated. The '{{name}}' and '{{password}}'
|
2015-04-27 03:02:58 +00:00
|
|
|
values will be substituted.
|
|
|
|
</li>
|
|
|
|
</ul>
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Returns</dt>
|
|
|
|
<dd>
|
|
|
|
A `204` response code.
|
|
|
|
</dd>
|
|
|
|
</dl>
|
|
|
|
|
2015-04-27 18:17:13 +00:00
|
|
|
#### GET
|
2015-04-27 03:02:58 +00:00
|
|
|
|
2015-04-27 18:17:13 +00:00
|
|
|
<dl class="api">
|
2015-04-27 03:02:58 +00:00
|
|
|
<dt>Description</dt>
|
|
|
|
<dd>
|
2015-04-27 21:07:20 +00:00
|
|
|
Queries the role definition.
|
2015-04-27 03:02:58 +00:00
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Method</dt>
|
|
|
|
<dd>GET</dd>
|
|
|
|
|
|
|
|
<dt>URL</dt>
|
|
|
|
<dd>`/mysql/roles/<name>`</dd>
|
|
|
|
|
|
|
|
<dt>Parameters</dt>
|
|
|
|
<dd>
|
|
|
|
None
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Returns</dt>
|
|
|
|
<dd>
|
|
|
|
|
|
|
|
```javascript
|
|
|
|
{
|
2015-10-12 16:10:22 +00:00
|
|
|
"data": {
|
|
|
|
"sql": "CREATE USER..."
|
|
|
|
}
|
2015-04-27 03:02:58 +00:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
</dd>
|
|
|
|
</dl>
|
|
|
|
|
|
|
|
|
2015-04-27 18:17:13 +00:00
|
|
|
#### DELETE
|
2015-04-27 03:02:58 +00:00
|
|
|
|
2015-04-27 18:17:13 +00:00
|
|
|
<dl class="api">
|
2015-04-27 03:02:58 +00:00
|
|
|
<dt>Description</dt>
|
|
|
|
<dd>
|
2015-04-27 21:07:20 +00:00
|
|
|
Deletes the role definition.
|
2015-04-27 03:02:58 +00:00
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Method</dt>
|
|
|
|
<dd>DELETE</dd>
|
|
|
|
|
|
|
|
<dt>URL</dt>
|
|
|
|
<dd>`/mysql/roles/<name>`</dd>
|
|
|
|
|
|
|
|
<dt>Parameters</dt>
|
|
|
|
<dd>
|
|
|
|
None
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Returns</dt>
|
|
|
|
<dd>
|
|
|
|
A `204` response code.
|
|
|
|
</dd>
|
|
|
|
</dl>
|
|
|
|
|
2015-04-27 18:17:13 +00:00
|
|
|
### /mysql/creds/
|
|
|
|
#### GET
|
2015-04-27 03:02:58 +00:00
|
|
|
|
2015-04-27 18:17:13 +00:00
|
|
|
<dl class="api">
|
2015-04-27 03:02:58 +00:00
|
|
|
<dt>Description</dt>
|
|
|
|
<dd>
|
|
|
|
Generates a new set of dynamic credentials based on the named role.
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Method</dt>
|
|
|
|
<dd>GET</dd>
|
|
|
|
|
|
|
|
<dt>URL</dt>
|
|
|
|
<dd>`/mysql/creds/<name>`</dd>
|
|
|
|
|
|
|
|
<dt>Parameters</dt>
|
|
|
|
<dd>
|
|
|
|
None
|
|
|
|
</dd>
|
|
|
|
|
|
|
|
<dt>Returns</dt>
|
|
|
|
<dd>
|
|
|
|
|
|
|
|
```javascript
|
|
|
|
{
|
2015-10-12 16:10:22 +00:00
|
|
|
"data": {
|
|
|
|
"username": "root-aefa635a-18",
|
|
|
|
"password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
|
|
|
|
}
|
2015-04-27 03:02:58 +00:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
</dd>
|
|
|
|
</dl>
|
|
|
|
|