MySQL

How to integrate MySQL DB with Apono Cloud-Native access management platform

Overview

  • Reduce Over Privileges - Discover existing privileges to MySQL databases and convert them to on-demand access flows to reduce over-privileges.

  • Self Service Access - Empower your developers to gain self-servable access to databases using Slack.

  • Automated Approval Workflows - Create approval workflows to specific sensitive databases.

  • Restricted Third Party Access - Grant third-party (customer or vendor) time-based access to specific databases with MFA verification.

  • Review Access - View a detailed access audit of who was granted access to which databases with what permission level and why.

Step by step guide

Prerequisites

  • An Apono connector installed with network access to the MySQL databases

    • Minimal Apono connector version: 1.3.0 (visit the Connectors Page and update the connector if needed)

  • A user for Apono to your MySQL with the following permissions

  • A secret created in Secret Store with the following params:

    • Key username, Value MySQL USERNAME

    • Keypassword, Value USERNAME PASSWORD

📘 Why does Apono need secrets?

Apono does not store credentials. The Apono Connector uses the secret to communicate with services in your environment and separate the Apono web app from the environment for maximal security.

How to create a MySQL user for Apono

  1. Create user for Connector in the instance, type in some secure password

CREATE USER 'apono_connector'@'%' IDENTIFIED BY 'password';
  1. Using aws-cli, store in AWS Secret Manager, make sure to replace #SECRET_NAME,#REGION,#USERNAME, #PASSWORD

aws secretsmanager create-secret --name "#SECRET_NAME" --tags '[{"Key":"apono-connector-read","Value":"true"}]' --region #REGION --secret-string '{  
    "username":"'"apono_connector"'",  
    "password":"'"#PASSWORD"'"  
}'
  1. Expose databases to apono_connector

GRANT SHOW DATABASES ON *.* TO 'apono_connector'@'%';
  1. Grant CREATE USER to apono_connector in all the databases

GRANT CREATE USER ON *.* TO 'apono_connector'@'%';  
GRANT UPDATE ON mysql.* TO 'apono_connector'@'%';  
GRANT PROCESS ON *.* TO 'apono_connector'@'%';
  1. Select and grant apono_connector ONE of the following READ_ONLY, READ_WRITE, ADMIN permissions, this will function as the highest permission level you would like to provision with Apono

READ_ONLY

GRANT SELECT ON *.* TO 'apono_connector'@'%';  
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';

READ_WRITE

GRANT SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE ON *.* TO 'apono_connector'@'%';  
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';

ADMIN

GRANT EXECUTE,DROP,SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE ON *.* TO 'apono_connector'@'%';  
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';

Required for MySQL 8.0 and above

GRANT ROLE_ADMIN on *.* to apono_connector;

How to integrate MySQL

📘 Is your MySQL running on a cloud service?

If you are trying to connect to an RDS MySQL or a CloudSQL MySQL you should use the specific cloud service integration.

  1. Pick a connector with network access to the MySQL databases (see prerequisites)

  2. Specify the integrations details:

    • Integration name – type the name of the integration When building an Access Flow you will reference this name

    • Hostname – specify the hostname of the MySQL you are connecting

    • Port – 3306

  3. Provide the secret (see prerequisites)

  4. Click "Connect"

Congratulations on connecting your MySQL. You can now create access flows that grant permissions to your MySQL databases.

Have multiple MySQLs? Use the API

You can check out the Apono API reference to easily integrate multiple integrations.


Last updated