MySQL Plugin
Rotate and Connect to MySQL databases with Keeper Commander
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
Prerequisites
Install PyMySQL
The MySQL Commander Plugin requires the PyMySQL plugin version 0.10.1 and does not support more recent versions.
Prepare Records for Rotation
Create a record to store the MySQL username and password
Create a record using either the Keeper Vault UI, or Keeper Commander.
Commander rotation supports all record types. A "Login" field is required on the record.
Set the Host and Port of the record
If using an untyped record, the host and port can be set to custom fields. See below.
Commander will use the mysql plugin automatically for records with the port number 3306, or with a hostname that starts with "mysql//"
Set the login and password values to the current database user values
Optional Custom Fields
Label | Value | Comment |
---|---|---|
cmdr:plugin | mysql | Tells Commander to use MySQL rotation. This should be either set to the record, or supplied to the rotation command |
cmdr:host | Hostname of your MySQL server. This can be set here if not set in the record's host field | |
cmdr:rules | # uppercase, # lowercase, # numeric, # special' (e.g. 4,6,3,8) | Password generation rules |
cmdr:port | MySQL port. 3306 assumed if omitted This can be set here if not set in the record's host field | |
cmdr:user_host | User host. '%' assumed if omitted |
Rotate Passwords
Get Record UID
Find the UID in the record information popup
Perform Rotation
To rotate MySQL passwords, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here added to a record field, or automatically assigned based on the port number or based on the host starting with "mysql://" (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
Output
After rotation is completed, the new password will be stored in the Password
field of the record
Integration with the Keeper Commander's connect
command
connect
commandCustom Field Name | Custom Field Value |
connect:xxx:env:MYSQL_PWD | ${password} |
connect:xxx | mysql -u${login} -h${cmdr:host} |
xxx
refers to the 'friendly name' which can be referenced when connecting on the command line
Here's a screenshot of the Keeper Vault record for this use case:
For more information on the connect
command, see the documentation
Last updated