search

MySQL Plugin

Rotate and Connect to MySQL databases with Keeper Commander

circle-exclamation

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

hashtag
Prerequisites

hashtag
Install PyMySQL

pip3 install -Iv PyMySQL==0.10.1
circle-exclamation

The MySQL Commander Plugin requires the PyMySQL plugin version 0.10.1 and does not support more recent versions.

hashtag
Prepare Records for Rotation

hashtag
Create a record to store the MySQL username and password

Create a record using either the Keeper Vault UI, or Keeper Commander.

Creating a record in the Keeper Vault
circle-info

Commander rotation supports all record types. A "Login" field is required on the record.

Set the Host and Port of the record

If using an untyped record, the host and port can be set to custom fields. See below.

circle-info

Commander will use the mysql plugin automatically for records with the port number 3306, or with a hostname that starts with "mysql//"

Set the login and password values to the current database user values

Commander will use the login and password to login to the MySQL account

hashtag
Optional Custom Fields

Label
Value
Comment

cmdr:plugin

mysql

Tells Commander to use MySQL rotation. This should be either set to the record, or supplied to the rotation command

cmdr:host

Hostname of your MySQL server. This can be set here if not set in the record's host field

cmdr:rules

# uppercase, # lowercase, # numeric, # special'

(e.g. 4,6,3,8)

Password generation rules

cmdr:port

MySQL port. 3306 assumed if omitted This can be set here if not set in the record's host field

cmdr:user_host

User host. '%' assumed if omitted

Adding Custom Fields in the Vault UI

hashtag
Rotate Passwords

hashtag
Get Record UID

Find the UID in the record information popup

Click the Record UID to copy it to the clipboard

hashtag
Perform Rotation

To rotate MySQL passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

circle-info

The plugin can be supplied to the command as shown here added to a record field, or automatically assigned based on the port number or based on the host starting with "mysql://" (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

hashtag
Output

After rotation is completed, the new password will be stored in the Password field of the record

hashtag
Integration with the Keeper Commander's connect command

Custom Field Name
Custom Field Value

connect:xxx:env:MYSQL_PWD

${password}

connect:xxx

mysql -u${login} -h${cmdr:host}

circle-info

xxx refers to the 'friendly name' which can be referenced when connecting on the command line

Here's a screenshot of the Keeper Vault record for this use case:

A Keeper Record setup for use with Commander's 'connect' command
circle-info

For more information on the connect command, see the documentationarrow-up-right

PreviousMicrosoft SQL Server PluginNextOracle Plugin

Last updated

Was this helpful?