open-vault/website/source/docs/secrets/databases/mysql-maria.html.md

---
layout: "docs"
page_title: "MySQL/MariaDB Database Plugin"
sidebar_current: "docs-secrets-databases-mysql-maria"
description: |-
  The MySQL/MariaDB plugin for Vault's Database backend generates database credentials to access MySQL and MariaDB servers.
---

# MySQL/MariaDB Database Plugin

Name: `mysql-database-plugin`, `aurora-database-plugin`, `rds-database-plugin`,
`mysql-legacy-database-plugin`

The MySQL Database Plugin is one of the supported plugins for the Database
backend. This plugin generates database credentials dynamically based on
configured roles for the MySQL database.

See the [Database Backend](/docs/secrets/databases/index.html) docs for more
information about setting up the Database Backend.

This plugin has a few different instances built into vault, each instance is for
a slightly different MySQL driver. The only difference between these plugins is
the length of usernames generated by the plugin as different versions of mysql
accept different lengths. The availible plugins are:
 
 - mysql-database-plugin
 - aurora-database-plugin
 - rds-database-plugin
 - mysql-legacy-database-plugin

## Quick Start

After the Database Backend is mounted you can configure a MySQL connection
by specifying this plugin as the `"plugin_name"` argument. Here is an example
configuration: 

```
$ vault write database/config/mysql \
    plugin_name=mysql-database-plugin \
    connection_url="root:mysql@tcp(127.0.0.1:3306)/" \
    allowed_roles="readonly"

The following warnings were returned from the Vault server:
* Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any.
```

Once the MySQL connection is configured we can add a role:

```
$ vault write database/roles/readonly \
    db_name=mysql \
    creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
    default_ttl="1h" \
    max_ttl="24h"

Success! Data written to: database/roles/readonly
```

This role can now be used to retrieve a new set of credentials by querying the
"database/creds/readonly" endpoint.

## API

The full list of configurable options can be seen in the [MySQL database
plugin API](/api/secret/databases/mysql-maria.html) page.

For more information on the Database secret backend's HTTP API please see the [Database secret
backend API](/api/secret/databases/index.html) page.
Add website skeleton 2017-05-02 20:26:32 +00:00			`---`
			`layout: "docs"`
			`page_title: "MySQL/MariaDB Database Plugin"`
			`sidebar_current: "docs-secrets-databases-mysql-maria"`
			`description: \|-`
			`The MySQL/MariaDB plugin for Vault's Database backend generates database credentials to access MySQL and MariaDB servers.`
			`---`

			`# MySQL/MariaDB Database Plugin`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
add new mysql plugin names and fix grammar 2017-05-04 01:41:39 +00:00			Name: `mysql-database-plugin`, `aurora-database-plugin`, `rds-database-plugin`,
			`mysql-legacy-database-plugin`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
			`The MySQL Database Plugin is one of the supported plugins for the Database`
			`backend. This plugin generates database credentials dynamically based on`
			`configured roles for the MySQL database.`

Upate links in docs 2017-05-03 17:25:12 +00:00			`See the [Database Backend](/docs/secrets/databases/index.html) docs for more`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00			`information about setting up the Database Backend.`

add new mysql plugin names and fix grammar 2017-05-04 01:41:39 +00:00			`This plugin has a few different instances built into vault, each instance is for`
			`a slightly different MySQL driver. The only difference between these plugins is`
			`the length of usernames generated by the plugin as different versions of mysql`
			`accept different lengths. The availible plugins are:`

			`- mysql-database-plugin`
			`- aurora-database-plugin`
			`- rds-database-plugin`
			`- mysql-legacy-database-plugin`

Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00			`## Quick Start`

			`After the Database Backend is mounted you can configure a MySQL connection`
			by specifying this plugin as the `"plugin_name"` argument. Here is an example
			`configuration:`

			```
			`$ vault write database/config/mysql \`
			`plugin_name=mysql-database-plugin \`
			`connection_url="root:mysql@tcp(127.0.0.1:3306)/" \`
			`allowed_roles="readonly"`

			`The following warnings were returned from the Vault server:`
			`* Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any.`
			```

			`Once the MySQL connection is configured we can add a role:`

			```
			`$ vault write database/roles/readonly \`
			`db_name=mysql \`
			`creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON . TO '{{name}}'@'%';" \`
			`default_ttl="1h" \`
			`max_ttl="24h"`

			`Success! Data written to: database/roles/readonly`
			```

			`This role can now be used to retrieve a new set of credentials by querying the`
			`"database/creds/readonly" endpoint.`

			`## API`

			`The full list of configurable options can be seen in the [MySQL database`
Upate links in docs 2017-05-03 17:25:12 +00:00			`plugin API](/api/secret/databases/mysql-maria.html) page.`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
add new mysql plugin names and fix grammar 2017-05-04 01:41:39 +00:00			`For more information on the Database secret backend's HTTP API please see the [Database secret`
Upate links in docs 2017-05-03 17:25:12 +00:00			`backend API](/api/secret/databases/index.html) page.`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00