MySQL

Integrate with Apono to view existing permissions and create Access Flows to MySQL databases.

Overview

  • Reduce Over Privileges - Discover existing privileges to MySQL databases and convert them to on-demand access flows to reduce over-privileges.
    • Self Service Access - Empower your developers to gain self-servable access to databases using Slack.
    • Automated Approval Workflows - Create approval workflows to specific sensitive databases.
    • Restricted Third Party Access - Grant third-party (customer or vendor) time-based access to specific databases with MFA verification.
    • Review Access - View a detailed access audit of who was granted access to which databases with what permission level and why.

How to integrate MySQL

📘

Is your MySQL running on a cloud service?

If you are trying to connect to an RDS MySQL or a CloudSQL MySQL you should use the specific cloud service integration.

  1. Click on Integrations Catalog.
  2. Under Data Sources, look for MySQL and click Connect
1784
  1. Specify the integrations details:
  • Integration name – type the name of the integration
    When building an Access Flow you will reference this name
  • Select the Connector – specify the Connector name with access to this MySQL
  • Hostname – specify the hostname of the MySQL you are connecting

AWS - Identify the secret
If you chose a Connector installed on an AWS account you will need to enter a Secret ID from within your AWS Secrets Manager

  • Region – Choose the region where the secret resides
  • Secret ID – Choose the secret ID that is used to access this MySQL with admin privileges. If you don't have one you can create one
  • Click Connect

GCP - Identify the secret
If you chose a Connector installed on an GCP account you will need to enter a Secret ID from within your GCP Secrets Manager

  • Project - the project ID
  • Secret ID - Choose the Secret ID that is used to access this MySQL with admin privileges. If you don't have one you can create one using this GCP guide.
    Look for the Secret ID in your Secret Manager (via Google console)
  • Click Connect

Creating a user for Apono

  1. Create user for Connector in the instance, type in some secure password
CREATE USER 'apono_connector'@'%' IDENTIFIED BY 'password';
  1. Using aws-cli, store in AWS Secret Manager, make sure to replace #SECRET_NAME,#REGION,#USERNAME, #PASSWORD
aws secretsmanager create-secret --name "#SECRET_NAME" --tags '[{"Key":"apono-connector-read","Value":"true"}]' --region #REGION --secret-string '{
    "username":"'"apono_connector"'",
    "password":"'"#PASSWORD"'"
}'
  1. Expose databases to apono_connector
GRANT SHOW DATABASES ON *.* TO 'apono_connector'@'%';
  1. Grant CREATE USER to apono_connector in all the databases
GRANT CREATE USER ON *.* TO 'apono_connector'@'%';
GRANT UPDATE ON mysql.* TO 'apono_connector'@'%';
  1. Select and grant apono_connector ONE of the following READ_ONLY, READ_WRITE, ADMIN permissions, this will function as the highest permission level you would like to provision with Apono

// Required for MySQL >8.0

GRANT ROLE_ADMIN on *.* to apono_connector;

READ_ONLY

GRANT SELECT ON *.* TO 'apono_connector'@'%';
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';

READ_WRITE

GRANT SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE ON *.* TO 'apono_connector'@'%';
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';

ADMIN

GRANT EXECUTE,DROP,SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE ON *.* TO 'apono_connector'@'%';
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';

📘

Have multiple MySQLs? Use the API

You can check out the Apono API reference to easily integrate multiple integrations.