luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/source/docs/secrets/databases/mysql-maria.html.md
Brian Kassouf ce391ca425 add new mysql plugin names and fix grammar
2017-05-03 18:41:39 -07:00

70 lines
2.4 KiB
Markdown
Raw Blame History

---
layout: "docs"
page_title: "MySQL/MariaDB Database Plugin"
sidebar_current: "docs-secrets-databases-mysql-maria"
description: |-
The MySQL/MariaDB plugin for Vault's Database backend generates database credentials to access MySQL and MariaDB servers.
---
# MySQL/MariaDB Database Plugin
Name: `mysql-database-plugin`, `aurora-database-plugin`, `rds-database-plugin`,
`mysql-legacy-database-plugin`
The MySQL Database Plugin is one of the supported plugins for the Database
backend. This plugin generates database credentials dynamically based on
configured roles for the MySQL database.
See the [Database Backend](/docs/secrets/databases/index.html) docs for more
information about setting up the Database Backend.
This plugin has a few different instances built into vault, each instance is for
a slightly different MySQL driver. The only difference between these plugins is
the length of usernames generated by the plugin as different versions of mysql
accept different lengths. The availible plugins are:
- mysql-database-plugin
- aurora-database-plugin
- rds-database-plugin
- mysql-legacy-database-plugin
## Quick Start
After the Database Backend is mounted you can configure a MySQL connection
by specifying this plugin as the `"plugin_name"` argument. Here is an example
configuration:
```
$ vault write database/config/mysql \
plugin_name=mysql-database-plugin \
connection_url="root:mysql@tcp(127.0.0.1:3306)/" \
allowed_roles="readonly"
The following warnings were returned from the Vault server:
* Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any.
```
Once the MySQL connection is configured we can add a role:
```
$ vault write database/roles/readonly \
db_name=mysql \
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
default_ttl="1h" \
max_ttl="24h"
Success! Data written to: database/roles/readonly
```
This role can now be used to retrieve a new set of credentials by querying the
"database/creds/readonly" endpoint.
## API
The full list of configurable options can be seen in the [MySQL database
plugin API](/api/secret/databases/mysql-maria.html) page.
For more information on the Database secret backend's HTTP API please see the [Database secret
backend API](/api/secret/databases/index.html) page.
Reference in a new issue View git blame Copy permalink