MySQL
Integrate with Apono to view existing permissions and create Access Flows to MySQL databases.
Overview
- Reduce Over Privileges - Discover existing privileges to MySQL databases and convert them to on-demand access flows to reduce over-privileges.
- Self Service Access - Empower your developers to gain self-servable access to databases using Slack.
- Automated Approval Workflows - Create approval workflows to specific sensitive databases.
- Restricted Third Party Access - Grant third-party (customer or vendor) time-based access to specific databases with MFA verification.
- Review Access - View a detailed access audit of who was granted access to which databases with what permission level and why.
How to integrate MySQL
Is your MySQL running on a cloud service?
If you are trying to connect to an RDS MySQL or a CloudSQL MySQL you should use the specific cloud service integration.
- Click on Integrations Catalog.
- Under Data Sources, look for MySQL and click Connect
- Specify the integrations details:
- Integration name – type the name of the integration
When building an Access Flow you will reference this name - Select the Connector – specify the Connector name with access to this MySQL
- Hostname – specify the hostname of the MySQL you are connecting
AWS - Identify the secret
If you chose a Connector installed on an AWS account you will need to enter a Secret ID from within your AWS Secrets Manager
- Region – Choose the region where the secret resides
- Secret ID – Choose the secret ID that is used to access this MySQL with admin privileges. If you don't have one you can create one
- Click Connect
GCP - Identify the secret
If you chose a Connector installed on an GCP account you will need to enter a Secret ID from within your GCP Secrets Manager
- Project - the project ID
- Secret ID - Choose the Secret ID that is used to access this MySQL with admin privileges. If you don't have one you can create one using this GCP guide.
Look for the Secret ID in your Secret Manager (via Google console) - Click Connect
Creating a user for Apono
- Create user for Connector in the instance, type in some secure
password
CREATE USER 'apono_connector'@'%' IDENTIFIED BY 'password';
- Using
aws-cli, store in AWS Secret Manager, make sure to replace#SECRET_NAME,#REGION,#USERNAME,#PASSWORD
aws secretsmanager create-secret --name "#SECRET_NAME" --tags '[{"Key":"apono-connector-read","Value":"true"}]' --region #REGION --secret-string '{
"username":"'"apono_connector"'",
"password":"'"#PASSWORD"'"
}'
- Expose databases to apono_connector
GRANT SHOW DATABASES ON *.* TO 'apono_connector'@'%';
- Grant
CREATE USERto apono_connector in all the databases
GRANT CREATE USER ON *.* TO 'apono_connector'@'%';
GRANT UPDATE ON mysql.* TO 'apono_connector'@'%';
- Select and grant apono_connector ONE of the following
READ_ONLY,READ_WRITE,ADMINpermissions, this will function as the highest permission level you would like to provision with Apono
// Required for MySQL >8.0
GRANT ROLE_ADMIN on *.* to apono_connector;
READ_ONLY
GRANT SELECT ON *.* TO 'apono_connector'@'%';
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';
READ_WRITE
GRANT SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE ON *.* TO 'apono_connector'@'%';
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';
ADMIN
GRANT EXECUTE,DROP,SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE ON *.* TO 'apono_connector'@'%';
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';
Have multiple MySQLs? Use the API
You can check out the Apono API reference to easily integrate multiple integrations.
Updated about 2 months ago