diff --git a/website/content/docs/secrets/databases/mysql-maria.mdx b/website/content/docs/secrets/databases/mysql-maria.mdx index becab0f2b7..02c29d0b9c 100644 --- a/website/content/docs/secrets/databases/mysql-maria.mdx +++ b/website/content/docs/secrets/databases/mysql-maria.mdx @@ -176,8 +176,8 @@ the following SQL privileges are needed by the service account's DB user for min Additional privileges may be needed depending on the SQL configured on the database roles. ```sql --- Enable service account to create roles within DB -GRANT CREATEROLE ON . TO "test-user"@"%"; +-- Enable service account to create users within DB +GRANT SELECT, CREATE, CREATE USER ON . TO "test-user"@"%" WITH GRANT OPTION; ``` ### Setup @@ -217,5 +217,27 @@ GRANT CREATEROLE ON . TO "test-user"@"%"; service_account_json="@my_credentials.json" ``` -Once the connection has been configured and IAM authentication is complete, the steps to set up a role and generate -credentials are the same as the ones listed above. +1. Configure a new role in Vault but override the default revocation statements + so Vault will drop the user instead: + + ```shell-session + $ vault write database/roles/my-role \ + db_name=my-mysql-database \ + creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \ + revocation_statements="DROP USER '{{name}}'@'%';" \ + default_ttl="1h" \ + max_ttl="24h" + ``` + +1. When you finish configuring the new role, generate credentials as before: + + ```shell-session + $ vault read database/creds/my-role + Key Value + --- ----- + lease_id database/creds/my-role/2f6b629f-7ah2-7b19-24b9-ad879a8d4bf2 + lease_duration 1h + lease_renewable true + password vY-57n3X5UQhxnmGTK7g + username v_vaultuser_my-role_frBYNfYh3Kw3 + ```