ContextQMD
Back to Infisical

MySQL/MariaDB

docs/documentation/platform/secret-rotation/mysql.mdx

0.159.253.8 KB
Original Source

The Infisical MySQL secret rotation allows you to automatically rotate your MySQL database user's password at a predefined interval.

Prerequisite

  1. Create two users with the required permission in your MySQL instance. We'll refer to them as user-a and user-b.
  2. Create another MySQL user with just the permission to update the passwords of user-a and user-b. We'll refer to this user as the admin user.

To learn more about MySQL permission system, please visit this documentation.

How it works

  1. Infisical connects to your database using the provided admin user account.
  2. A random value is generated and the password for user-a is updated with the new value.
  3. The new password is then tested by logging into the database
  4. If test is success, it's saved to the output secret mappings so that rest of the system gets the newly rotated value(s).
  5. The process is then repeated for user-b on the next rotation.
  6. The cycle repeats until secret rotation is deleted/stopped.

Rotation Configuration

<Steps> <Step title="Open Secret Rotation Page"> Head over to Secret Rotation configuration page of your project by clicking on `Secret Rotation` in the left side bar </Step> <Step title="Click on MySQL card" /> <Step title="Provide the inputs"> <ParamField path="Admin Username" type="string" required> Rotator admin username </ParamField> 
<ParamField path="Admin password" type="string" required>
	Rotator admin password
</ParamField>

<ParamField path="Host" type="string" required>
	Database host url
</ParamField>

<ParamField path="Port" type="number" required>
	Database port number
</ParamField>

<ParamField path="Username1" type="string" required>
	The first username of two to rotate - `user-a`
</ParamField>

<ParamField path="Username2" type="string" required>
	The second username of two to rotate - `user-b`
</ParamField>

<ParamField path="CA" type="string">
	Optional database certificate to connect with database
</ParamField>
</Step> <Step title="Configure the output secret mapping"> When a secret rotation is successful, the updated values needs to be saved to an existing key(s) in your project. 
<ParamField path="Environment" type="string" required>
	The environment where the rotated credentials should be mapped to.
</ParamField>

<ParamField path="Secret Path" type="string" required>
	The secret path where the rotated credentials should be mapped to.
</ParamField>

<ParamField path="Interval" type="number" required>
	What interval should the credentials be rotated in days.
</ParamField>

<ParamField path="DB USERNAME" type="string" required>
	Select an existing secret key where the rotated database username value should be saved to.
</ParamField>

<ParamField path="DB PASSWORD" type="string" required>
	Select an existing select key where the rotated database password value should be saved to.
</ParamField>
</Step> </Steps>

FAQ

<AccordionGroup> <Accordion title="Why can't we delete the other user when rotating?"> When a system has multiple nodes by horizontal scaling, redeployment doesn't happen instantly. 
This means that when the secrets are rotated, and the redeployment is triggered, the existing system will still be using the old credentials until the change rolls out. 

To avoid causing failure for them, the old credentials are not removed. Instead, in the next rotation, the previous user's credentials are updated.
</Accordion> <Accordion title="Why do you need root user account?"> The admin account is used by Infisical to update the credentials for `user-a` and `user-b`. 
You don't need to grant all permission for your admin account but rather just the permissions to update both of the user's passwords.
</Accordion> </AccordionGroup>