diff --git a/changelog/30136.txt b/changelog/30136.txt new file mode 100644 index 0000000000..befe9091cc --- /dev/null +++ b/changelog/30136.txt @@ -0,0 +1,3 @@ +```release-note:improvement +storage/mysql: Added support for getting mysql backend username and password from the environment variables `VAULT_MYSQL_USERNAME` and `VAULT_MYSQL_PASSWORD`. +``` \ No newline at end of file diff --git a/physical/mysql/mysql.go b/physical/mysql/mysql.go index 6361ae97b5..984a2c5e8e 100644 --- a/physical/mysql/mysql.go +++ b/physical/mysql/mysql.go @@ -13,6 +13,7 @@ import ( "io/ioutil" "math" "net/url" + "os" "sort" "strconv" "strings" @@ -268,13 +269,22 @@ func NewMySQLClient(conf map[string]string, logger log.Logger) (*sql.DB, error) var err error // Get the MySQL credentials to perform read/write operations. - username, ok := conf["username"] - if !ok || username == "" { - return nil, fmt.Errorf("missing username") + username := os.Getenv("VAULT_MYSQL_USERNAME") + if username == "" { + confUsername, ok := conf["username"] + if !ok || confUsername == "" { + return nil, fmt.Errorf("missing username") + } + username = confUsername } - password, ok := conf["password"] - if !ok || password == "" { - return nil, fmt.Errorf("missing password") + + password := os.Getenv("VAULT_MYSQL_PASSWORD") + if password == "" { + confPassword, ok := conf["password"] + if !ok || confPassword == "" { + return nil, fmt.Errorf("missing password") + } + password = confPassword } // Get or set MySQL server address. Defaults to localhost and default port(3306) diff --git a/website/content/docs/configuration/storage/mysql.mdx b/website/content/docs/configuration/storage/mysql.mdx index 2e08cb1e07..7434e4601a 100644 --- a/website/content/docs/configuration/storage/mysql.mdx +++ b/website/content/docs/configuration/storage/mysql.mdx @@ -43,7 +43,7 @@ storage "mysql" { - `tls_ca_file` `(string: "")` – Specifies the path to the CA certificate to connect using TLS. -- `plaintext_credentials_transmission` `(string: "")` - Provides authorization +- `plaintext_connection_allowed` `(string: "")` - Provides authorization to send credentials over plaintext. Failure to provide a value AND a failure to provide a TLS CA certificate will warn that the credentials are being sent over plain text. In the future, failure to do acknowledge or use TLS will @@ -64,10 +64,10 @@ storage "mysql" { Additionally, Vault requires the following authentication information. - `username` `(string: )` – Specifies the MySQL username to connect to - the database. + the database. This value can also be set using the `VAULT_MYSQL_USERNAME` environment variable. - `password` `(string: )` – Specifies the MySQL password to connect to - the database. + the database. This value can also be set using the `VAULT_MYSQL_PASSWORD` environment variable. ### High availability parameters