MySQL Plugin

Rotate and Connect to MySQL databases with Keeper Commander

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

Password Rotation with KeeperPAM
Commander KeeperPAM commands

Prerequisites

Install PyMySQL

pip3 install -Iv PyMySQL==0.10.1

The MySQL Commander Plugin requires the PyMySQL plugin version 0.10.1 and does not support more recent versions.

Prepare Records for Rotation

Create a record to store the MySQL username and password

Create a record using either the Keeper Vault UI, or Keeper Commander.

Commander rotation supports all record types. A "Login" field is required on the record.

Set the Host and Port of the record

If using an untyped record, the host and port can be set to custom fields. See below.

Commander will use the mysql plugin automatically for records with the port number 3306, or with a hostname that starts with "mysql//"

add type="databaseCredentials" title="MySQL Example" f.host.hostName="127.0.0.1" f.host.port="3306" f.login
="DBAdmin Smith" f.password="XXX"

replace 'XXX' with the current database password for this user

Optional Custom Fields

Label

Value

Comment

cmdr:plugin

mysql

Tells Commander to use MySQL rotation. This should be either set to the record, or supplied to the rotation command

cmdr:host

Hostname of your MySQL server. This can be set here if not set in the record's host field

cmdr:rules

# uppercase, # lowercase, # numeric, # special'

(e.g. 4,6,3,8)

Password generation rules

cmdr:port

MySQL port. 3306 assumed if omitted This can be set here if not set in the record's host field

cmdr:user_host

User host. '%' assumed if omitted

For Commander versions greater than 4.88

 edit -r "MySQL Example" --custom '{"cmdr:plugin":"mysql", "cmdr:host":"SQL"}'

For Commander versions 4.88 and before

edit "MySQL Example" --custom '{"cmdr:plugin":"mysql", "cmdr:host":"SQL"}'

for more information about the edit command, see the command documentation

Rotate Passwords

Get Record UID

Find the UID in the record information popup

My Vault> search "MySQL Example"

  #  Record UID              Type    Title    Login    URL
---  ----------------------  ------  -------  -------  -----
  1  am4TuwGrDpn8NhrGPBAWKw  login   rtt      rotate


                 UID: am4TuwGrDpn8NhrGPBAWKw
               Title: rtt
               Login: rotate
                text: ['mysql']
                text: ['127.0.0.1']

Use the search command to find the UID for your record. Replace "MySQL Example" with the name of your record.

Perform Rotation

To rotate MySQL passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "MySQL Example" --plugin mssql

The plugin can be supplied to the command as shown here added to a record field, or automatically assigned based on the port number or based on the host starting with "mysql://" (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Output

After rotation is completed, the new password will be stored in the Password field of the record

Integration with the Keeper Commander's `connect` command

Custom Field Name

Custom Field Value

connect:xxx:env:MYSQL_PWD

${password}

connect:xxx

mysql -u${login} -h${cmdr:host}

xxx refers to the 'friendly name' which can be referenced when connecting on the command line

Here's a screenshot of the Keeper Vault record for this use case:

For more information on the connect command, see the documentation

PreviousMicrosoft SQL Server Plugin NextOracle Plugin

Last updated 3 months ago

Was this helpful?

Prerequisites

Install PyMySQL

Prepare Records for Rotation

Create a record to store the MySQL username and password

Set the Host and Port of the record

Set the login and password values to the current database user values

Optional Custom Fields

Rotate Passwords

Get Record UID

Perform Rotation

Output

Integration with the Keeper Commander's connect command

Integration with the Keeper Commander's `connect` command