# MySQL Secret Engine {% hint style="info" %} This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the [StrongDM Help Center](https://help.strongdm.com/hc/en-us). {% endhint %} StrongDM Vault has a secret engine for MySQL. This secret engine can be used to manage and rotate credentials within MySQL itself as well as in a backing secret store. The copies kept on the secret store can then be used to facilitate user connection through StrongDM to resources using those credentials, which are rotated in tandem with the ones on MySQL, ensuring the two copies are kept in sync. The MySQL connection is set up with either the StrongDM Admin UI or the StrongDM CLI, and the process generally involves providing MySQL configuration information to allow StrongDM nodes to connect to your MySQL server and perform secrets updates within MySQL. Once the connection is established, the secrets are rotated on MySQL at the same time as they are rotated and stored in a backing secret store. If you do not already have a secret store (StrongDM Vault or a supported cloud secret store provider) configured with StrongDM, do that first by following one of the guides in the [Secret Stores](https://docs.strongdm.com/admin/access/secret-stores) section. ## Prerequisites For StrongDM, the following requirements must be met: * You must be a StrongDM account administrator. * At least one StrongDM node (gateway or proxy cluster) must have authorization for the necessary operations to succeed in both API operations and network traffic to the secret engine and/or vault. The node(s) should be at version 51.73.0 or higher. * At least one secret store (either StrongDM Vault or one of the supported cloud providers) must be configured. For MySQL, the following requirements must be met: * The user must have the privilege to change passwords for users. * Authorization details must be provided during configuration. * Relevant MySQL traffic ports should be open. * The MySQL user used to set up the engine must have the `CREATE USER` privilege . ## Create a Secret Engine To add a new secret engine in the Admin UI, follow these steps. 1. In the Admin UI, go to **Settings** > **Secrets Management**. 2. Select the **Secret Engines** tab and click **Add secret engine**. 3. On the dialog that displays, select **MySQL**. Then set the following properties and click save. {% hint style="info" %} Configuring password rotation or complexity settings here provide a default for secrets created by and managed by this secret engine. If you create an individual secret with this engine but change these settings on that individual secret, the settings on the secret will be followed. For example, if you do not provide any default rotation settings for the engine, secrets created will, by default, not have any of these settings configured. If you configure a rotation time of one hour for one particular secret, it will be rotated hourly, disregarding the secret engine configuration. {% endhint %} ### Secret engine properties These properties are required, other than **Node Selector** and **Tags**. | Property | Requirement | Description | | -------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Name** | Required | Descriptive name that clearly indicates what the engine is for | | **Secret Store** | Required | Secret store where the secrets you wish to manage are located | | **Secret Store Root Path** | Required | Path to the secret store where the secrets are located, for example, `/secret/data/ad` | | **Node Selector** | Optional | Tag that you intend to attach to node(s) (gateways, relays, proxy clusters) that you wish to be used to contact your secret store; if a value is provided, only nodes with this exact tag will be used to interact with this secret engine; if blank, any healthy node is used | | **Select or add tags** | Optional | Tags for organizing and interacting with secret engines | ### MySQL properties The **Hostname**, **Port**, **Database**, and **Username** are required, with the rest of the properties being optional. | Property | Requirement | Description | | --------------------------------- | ----------- | --------------------------------------------------------------------------------- | | **Hostname** | Required | Hostname of the MySQL server | | **Port** | Required | MySQL port | | **Database** | Required | Specific database to connect to | | **Username** | Required | Username for a MySQL account that has permission to manage MySQL user credentials | | **Password** | Optional | Password for the MySQL account | | **Credential rotation interval** | Optional | Interval for automatic secret rotation, in days, hours, and minutes | | **Timeout after credential read** | Optional | Timeout after credential read in days, hours, and minutes | ### Password generation properties These properties are optional criteria and constraints on password generation for the rotation of passwords. | Property | Requirement | Description | | ---------------------------- | ----------- | ------------------------------------------------------------------------------- | | **Length** | Optional | Length of passwords that are generated; defaults to 32 | | **Number of Digits** | Optional | Number of digits contained in passwords that are generated; defaults to 6 | | **Number of symbols** | Optional | Number of symbols contained in passwords that are generated; defaults to 0 | | **Excluded characters** | Optional | Characters that are excluded from passwords that are generated; defaults to `\` | | **Exclude uppercase** | Optional | Exclude uppercase letters from passwords that are generated | | **Allow repeated passwords** | Optional | Allow repeated passwords when generating new passwords | ### Advanced settings These properties are advanced settings regarding the encryption of the connection to MySQL and other advanced details. | Property | Requirement | | -------- | ----------- | | **TLS** | Optional | The **Secret Engines** tab now displays the secret engine that you just added. ## Manage Secrets ### Create a managed secret Next, create a secret using the secret engine. This will allow the secret engine to begin rotating the password for the selected username, and also begin storing it in your secret store, so that we can use it for proxying connections to the resource. 1. Go to the Admin UI under **Settings** > **Secrets Management**. Then select the **Secrets** tab and select **Add Secret**. 2. Fill in a **Name** and **Description** for the secret. It may be reasonable to correlate this name with the username or with the resource name that you intend to use this credential to access, if it is going to be used for leased credential access to the database. If it is being used for a specific identity using [Identity Aliases](https://docs.strongdm.com/admin/principals/identity-alias), it could be named after the specific identity it is mapped to. 3. For **Select secret engine**, select the engine you just created. 4. Fill in the rest of the form, including resource specific fields and rotation or password complexity information for this secret if you desire it to be different than the defaults for this secret engine, and select **Save**. ### Configure a resource to use this secret Lastly, configure a resource to use this secret to authenticate to a resource. Fill in the resource configuration as you normally would, but for **Secret Store**, select the secret store, and for the user credential fields, fill them in with `//SECRET_PATH?key=`, filling in the values for `` from your secret engine configuration, `` from your managed secret configuration, and `` from the name of the revelant key within this managed secret. Now you should be able to grant access to this resource to a user through a role, if you have not done so already, or through just in time access with workflows, and attempt accessing it. ## Further Reading * For more about managing secrets, see the main [StrongDM Vault](https://docs.strongdm.com/admin/secrets) section. * For instructions on entitling users to access particular secrets, see the [Entitle Secrets via Policy](https://docs.strongdm.com/admin/secrets/policy-secrets-management) section. * For details on managing secret engines with the CLI, see [Secrets Management via CLI](https://docs.strongdm.com/admin/secrets/secrets-management-cli).