open-vault/website/source/docs/secrets/databases/mysql-maria.html.md
2017-05-03 18:41:39 -07:00

2.4 KiB

layout page_title sidebar_current description
docs MySQL/MariaDB Database Plugin docs-secrets-databases-mysql-maria The MySQL/MariaDB plugin for Vault's Database backend generates database credentials to access MySQL and MariaDB servers.

MySQL/MariaDB Database Plugin

Name: mysql-database-plugin, aurora-database-plugin, rds-database-plugin, mysql-legacy-database-plugin

The MySQL Database Plugin is one of the supported plugins for the Database backend. This plugin generates database credentials dynamically based on configured roles for the MySQL database.

See the Database Backend docs for more information about setting up the Database Backend.

This plugin has a few different instances built into vault, each instance is for a slightly different MySQL driver. The only difference between these plugins is the length of usernames generated by the plugin as different versions of mysql accept different lengths. The availible plugins are:

  • mysql-database-plugin
  • aurora-database-plugin
  • rds-database-plugin
  • mysql-legacy-database-plugin

Quick Start

After the Database Backend is mounted you can configure a MySQL connection by specifying this plugin as the "plugin_name" argument. Here is an example configuration:

$ vault write database/config/mysql \
    plugin_name=mysql-database-plugin \
    connection_url="root:mysql@tcp(127.0.0.1:3306)/" \
    allowed_roles="readonly"

The following warnings were returned from the Vault server:
* Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any.

Once the MySQL connection is configured we can add a role:

$ vault write database/roles/readonly \
    db_name=mysql \
    creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
    default_ttl="1h" \
    max_ttl="24h"

Success! Data written to: database/roles/readonly

This role can now be used to retrieve a new set of credentials by querying the "database/creds/readonly" endpoint.

API

The full list of configurable options can be seen in the MySQL database plugin API page.

For more information on the Database secret backend's HTTP API please see the Database secret backend API page.