MySQL Connections
Keeper Connections - MySQL Protocol
Overview
KeeperPAM enables zero-trust privileged session management for MySQL databases through an interactive CLI or the visual KeeperDB interface. This guide shows how to configure MySQL connections on PAM Database records in the Keeper Vault. Sessions start from the Vault, route through the Keeper Gateway, and connect to the target database.
Prerequisites
Before you begin, review the connection prerequisites on Getting Started.
You need these records to configure a MySQL connection:
Stores the infrastructure details needed to reach the target.
Stores the MySQL host and connection details.
Stores the MySQL credentials used for the session.
This guide uses a MySQL Database record as the target.
Use KeeperDB for visual database access, monitoring, and KeeperAI-assisted workflows. Use KeeperDB Proxy to connect from a native desktop client without exposing credentials.
PAM Settings - MySQL Protocol
Accessing connection settings
After you create the target PAM record, open the connection settings:
Edit the PAM record.
Click Set Up in PAM Settings.
Open the Connection section.
Configuring connection settings
Before you configure the MySQL protocol, set these required fields:
PAM Configuration
The PAM Configuration provides access to the target defined on the record.
Administrative Credential Record
The linked PAM User used for authentication and administrative actions.
The following table lists the MySQL-specific connection settings:
Protocol
Required. Select MySQL. Keeper populates the available settings for this protocol.
Enable Connection
Required. Enable this toggle to allow launches from the record.
Graphical Session Recording
Enables graphical session recording for this connection.
Text Session Recording (Typescript)
Enables raw text session recording with timing data.
Include Key Events
Includes keystrokes in playback. This can capture typed secrets.
Connection Port
Uses the port on the PAM Database by default. Override it here if needed. The default MySQL port is 3306.
Launch Credentials
Uses the selected credentials to authenticate the session. See Connection Authentication Methods.
Allow users to select credentials from their vault
Lets users choose their own private vault credentials. See Connection Authentication Methods.
Rotate launch credentials upon session termination
Rotates the selected launch credential when the session ends.
Default Database
Selects the default schema when the session starts.
Can download
Allows CSV export
On CLI with
SELECT ... INTO OUTFILE.With KeeperDB using Export
Can upload
Allows CSV import with LOAD DATA LOCAL INFILE ... INTO TABLE.
Can copy to clipboard
Lets users copy text from the session.
Can paste from clipboard
Lets users paste local clipboard content into the session.
Font name
Sets the terminal font. Use a monospaced font installed on the server running guacd.
Maximum scrollback size
Sets the maximum terminal scrollback buffer. The default is 1000 rows.
Read-only
Prevents all input. Users can view the session but cannot interact.
Connection Authentication Methods
MySQL connections support these authentication methods:
Launch Credential Keeper uses the credential linked on the PAM record. Users do not need direct access to that credential.
Personal/Private Credential When Allow users to select credentials from their vault is enabled, users can authenticate with their own private vault credential.
Ephemeral Accounts Keeper creates a temporary privileged account for the session and deletes it after the session ends. This supports Just-In-Time access.
Session Recordings - MySQL Protocol
For this protocol, Keeper records both the graphical session and the full raw text stream, including timing data. Learn how to access and review recordings on Session Recording & Playback.
Learn more about Session Recording & Playback
KeeperDB Settings
Use KeeperDB for visual database access, monitoring, and KeeperAI-assisted workflows on this connection.
JIT Settings
Tunnel Settings
KeeperAI Settings
Workflow Settings
Connection Templates
You can also configure the PAM record as a connection template. Connection templates let users launch sessions without predefining a specific hostname or credential.
Learn more about Connection Templates
Last updated