# MySQL Plugin

{% hint style="warning" %}
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

* [Password Rotation with KeeperPAM](/keeperpam/secrets-manager/password-rotation.md)
* Commander [KeeperPAM commands](/keeperpam/commander-cli/command-reference/keeperpam-commands.md)
  {% endhint %}

## Prerequisites

#### Install PyMySQL

```
pip3 install -Iv PyMySQL==0.10.1
```

{% hint style="warning" %}
The MySQL Commander Plugin requires the PyMySQL plugin version 0.10.1 and does not support more recent versions.
{% endhint %}

## Prepare Records for Rotation

### Create a record to store the MySQL username and password

Create a record using either the Keeper Vault UI, or Keeper Commander.

{% tabs %}
{% tab title="Vault UI" %}
![Creating a record in the Keeper Vault](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FLnjMZ9GPTFEGzNCO4kwj%2Fimage.png?alt=media\&token=e5ec658c-e470-4f70-99b0-aa8716002c50)

{% hint style="info" %}
Commander rotation supports all record types. A "Login" field is required on the record.
{% endhint %}

**Set the Host and Port of the record**

![](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FxndkXzyAk0NgMkcTNoBq%2Fimage.png?alt=media\&token=43c4c5b1-0943-4104-a860-61fe76fcfc00)

If using an untyped record, the host and port can be set to custom fields. See below.

{% hint style="info" %}
Commander will use the mysql plugin automatically for records with the port number 3306, or with a hostname that starts with "mysql//"
{% endhint %}

**Set the login and password values to the current database user values**

![Commander will use the login and password to login to the MySQL account](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F4TNMCZKhejp3vlE8tBCN%2Fimage.png?alt=media\&token=4cfaa6bd-a624-4e25-aea3-38d59984e901)
{% endtab %}

{% tab title="Commander" %}

```
add type="databaseCredentials" title="MySQL Example" f.host.hostName="127.0.0.1" f.host.port="3306" f.login
="DBAdmin Smith" f.password="XXX"
```

replace 'XXX' with the current database password for this user
{% endtab %}
{% endtabs %}

### Optional Custom Fields

| Label           | Value                                                                       | Comment                                                                                                             |
| --------------- | --------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- |
| cmdr:plugin     | mysql                                                                       | Tells Commander to use MySQL rotation. This should be either set to the record, or supplied to the rotation command |
| cmdr:host       |                                                                             | Hostname of your MySQL server. This can be set here if not set in the record's host field                           |
| cmdr:rules      | <p># uppercase, # lowercase, # numeric, # special'</p><p>(e.g. 4,6,3,8)</p> | Password generation rules                                                                                           |
| cmdr:port       |                                                                             | <p>MySQL port. 3306 assumed if omitted<br>This can be set here if not set in the record's host field</p>            |
| cmdr:user\_host |                                                                             | User host. '%' assumed if omitted                                                                                   |

{% tabs %}
{% tab title="Vault UI" %}
![Adding Custom Fields in the Vault UI](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJXOXEifAmpyvNVL1to%2F-MiNPEavIrI4-C-d6yeX%2F-MiNSHLjGNieJbKyeNnB%2Fimage.png?alt=media\&token=4cb9461d-4b81-45d0-b93a-c541187d592f)
{% endtab %}

{% tab title="Commander" %}
For Commander versions greater than 4.88

```
 edit -r "MySQL Example" --custom '{"cmdr:plugin":"mysql", "cmdr:host":"SQL"}'
```

For Commander versions 4.88 and before

```
edit "MySQL Example" --custom '{"cmdr:plugin":"mysql", "cmdr:host":"SQL"}'
```

{% hint style="info" %}
for more information about the edit command, see the [command documentation](/keeperpam/commander-cli/command-reference/record-commands.md#record-add-and-record-update-commands)
{% endhint %}
{% endtab %}
{% endtabs %}

## Rotate Passwords

### Get Record UID

{% tabs %}
{% tab title="Vault UI" %}
Find the UID in the record information popup

![Click the Record UID to copy it to the clipboard](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJXOXEifAmpyvNVL1to%2F-MiNaHUls8b8zepgHMnb%2F-MiNgHHcXnjXoz4P1LO9%2Fimage.png?alt=media\&token=c7bac4e1-0eef-4e3e-9d29-6a74fa18c8d4)
{% endtab %}

{% tab title="Commander" %}

```
My Vault> search "MySQL Example"

  #  Record UID              Type    Title    Login    URL
---  ----------------------  ------  -------  -------  -----
  1  am4TuwGrDpn8NhrGPBAWKw  login   rtt      rotate


                 UID: am4TuwGrDpn8NhrGPBAWKw
               Title: rtt
               Login: rotate
                text: ['mysql']
                text: ['127.0.0.1']
```

Use the search command to find the UID for your record. Replace "MySQL Example" with the name of your record.
{% endtab %}
{% endtabs %}

### Perform Rotation

To rotate MySQL passwords, use the `rotate` command in Commander. Pass the command a record title or UID (or use `--match` with a regular expression to rotate several records at once)

```
rotate "MySQL Example" --plugin mssql
```

{% hint style="info" %}
The plugin can be supplied to the command as shown here added to a record field, or automatically assigned based on the port number or based on the host starting with "mysql://" (see options above).\
Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
{% endhint %}

#### Output

After rotation is completed, the new password will be stored in the `Password` field of the record

## Integration with the Keeper Commander's `connect` command

| Custom Field Name          | Custom Field Value              |
| -------------------------- | ------------------------------- |
| connect:xxx:env:MYSQL\_PWD | ${password}                     |
| connect:xxx                | mysql -u${login} -h${cmdr:host} |

{% hint style="info" %}
`xxx` refers to the 'friendly name' which can be referenced when connecting on the command line
{% endhint %}

Here's a screenshot of the Keeper Vault record for this use case:

![A Keeper Record setup for use with Commander's 'connect' command](https://raw.githubusercontent.com/Keeper-Security/Commander/master/keepercommander/images/connect_mysql_screenshot.png)

{% hint style="info" %}
For more information on the `connect` command, see the [documentation](/keeperpam/commander-cli/command-reference/connection-commands/connection-to-hosts.md)
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/commander-cli/command-reference/plugins/mysql-plugin.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.