MySQL Plugin

Rotate and Connect to MySQL databases with Keeper Commander

Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:

Prerequisites

Install PyMySQL

pip3 install -Iv PyMySQL==0.10.1

The MySQL Commander Plugin requires the PyMySQL plugin version 0.10.1 and does not support more recent versions.

Prepare Records for Rotation

Create a record to store the MySQL username and password

Create a record using either the Keeper Vault UI, or Keeper Commander.

Commander rotation supports all record types. A "Login" field is required on the record.

Set the Host and Port of the record

If using an untyped record, the host and port can be set to custom fields. See below.

Commander will use the mysql plugin automatically for records with the port number 3306, or with a hostname that starts with "mysql//"

Set the login and password values to the current database user values

Optional Custom Fields

LabelValueComment

cmdr:plugin

mysql

Tells Commander to use MySQL rotation. This should be either set to the record, or supplied to the rotation command

cmdr:host

Hostname of your MySQL server. This can be set here if not set in the record's host field

cmdr:rules

# uppercase, # lowercase, # numeric, # special'

(e.g. 4,6,3,8)

Password generation rules

cmdr:port

MySQL port. 3306 assumed if omitted This can be set here if not set in the record's host field

cmdr:user_host

User host. '%' assumed if omitted

Rotate Passwords

Get Record UID

Find the UID in the record information popup

Perform Rotation

To rotate MySQL passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "MySQL Example" --plugin mssql

The plugin can be supplied to the command as shown here added to a record field, or automatically assigned based on the port number or based on the host starting with "mysql://" (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Output

After rotation is completed, the new password will be stored in the Password field of the record

Integration with the Keeper Commander's connect command

Custom Field Name

Custom Field Value

connect:xxx:env:MYSQL_PWD

${password}

connect:xxx

mysql -u${login} -h${cmdr:host}

xxx refers to the 'friendly name' which can be referenced when connecting on the command line

Here's a screenshot of the Keeper Vault record for this use case:

For more information on the connect command, see the documentation

Last updated