All pages
Powered by GitBook
1 of 1

MySQL Plugin

Rotate and Connect to MySQL databases with Keeper Commander

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

Prerequisites

Install PyMySQL

The MySQL Commander Plugin requires the PyMySQL plugin version 0.10.1 and does not support more recent versions.

Prepare Records for Rotation

Create a record to store the MySQL username and password

Create a record using either the Keeper Vault UI, or Keeper Commander.

Optional Custom Fields

Label
Value
Comment

cmdr:plugin

mysql

Tells Commander to use MySQL rotation. This should be either set to the record, or supplied to the rotation command

cmdr:host

Hostname of your MySQL server. This can be set here if not set in the record's host field

cmdr:rules

# uppercase, # lowercase, # numeric, # special'

(e.g. 4,6,3,8)

Password generation rules

cmdr:port

MySQL port. 3306 assumed if omitted This can be set here if not set in the record's host field

cmdr:user_host

User host. '%' assumed if omitted

For Commander versions greater than 4.88

 edit -r "MySQL Example" --custom '{"cmdr:plugin":"mysql", "cmdr:host":"SQL"}'

For Commander versions 4.88 and before

edit "MySQL Example" --custom '{"cmdr:plugin":"mysql", "cmdr:host":"SQL"}'

for more information about the edit command, see the command documentation

Rotate Passwords

Get Record UID

Find the UID in the record information popup

Click the Record UID to copy it to the clipboard
My Vault> search "MySQL Example"

  #  Record UID              Type    Title    Login    URL
---  ----------------------  ------  -------  -------  -----
  1  am4TuwGrDpn8NhrGPBAWKw  login   rtt      rotate


                 UID: am4TuwGrDpn8NhrGPBAWKw
               Title: rtt
               Login: rotate
                text: ['mysql']
                text: ['127.0.0.1']

Use the search command to find the UID for your record. Replace "MySQL Example" with the name of your record.

Perform Rotation

To rotate MySQL passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "MySQL Example" --plugin mssql

The plugin can be supplied to the command as shown here added to a record field, or automatically assigned based on the port number or based on the host starting with "mysql://" (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Output

After rotation is completed, the new password will be stored in the Password field of the record

Integration with the Keeper Commander's connect command

Custom Field Name

Custom Field Value

connect:xxx:env:MYSQL_PWD

${password}

connect:xxx

mysql -u${login} -h${cmdr:host}

xxx refers to the 'friendly name' which can be referenced when connecting on the command line

Here's a screenshot of the Keeper Vault record for this use case:

A Keeper Record setup for use with Commander's 'connect' command

For more information on the connect command, see the documentation