Static Role for MySQL Database - Cannot Specify User Hostname

Vault
1

I am attempting to create a Static Role for a MySQL connection with a self hosted Vault.

Currently the process of registering a static role is limiting a user to always have the wildcard (%) hostname for any user that is connected to a static role.

I have attempted to create a Static Role on the cli:

ex:

vault write /database/static-roles/testing \   
     db_name=test_db \      
     username="vault-admin-tes-role@localhost" \     
     rotation_period=100

As well as on the Vault UI with the ‘static’ role selection dropdown option.

Screenshot 2025-02-27 at 10.04.57 AM
Screenshot 2025-02-27 at 10.04.57 AM2118×766 39.2 KB

I receive this error
1 error occurred: * error setting credentials: failed to change password: Error 1396: Operation ALTER USER failed for 'vault_admin_tes_role@localhost'@'%'

Where the vault is unable to target the correct user and host.

Am I only able to create a static role for a user with % wildcard host?

How can I create a role for a user with distinct hosts?

2

When creating your static role, it looks like you’re not setting the rotation_statements parameter.

If not set, the default statement is: ALTER USER '{{username}}'@'%' IDENTIFIED BY '{{password}}'; source

3

That makes sense. It worked on the CLI when I specified an explicit rotation statement with the {{username}}@‘host’.

Only problem now is that the ‘Rotation Statement’ input field is disappearing on the Vault UI.

Before I input the ‘Connection Name’ the ‘Rotation Statement’ is present in the UI.

after inputting connection name

Screenshot 2025-02-28 at 10.37.09 AM
Screenshot 2025-02-28 at 10.37.09 AM1882×930 51.6 KB

After I input the ‘Connection Name’ then Rotation statement gets hidden in the UI. Could there be something I am doing wrong or is this a bug?

4

See here – the ‘Rotation Statement’ input is visible before I insert the ‘Connection Name’

Screenshot 2025-02-28 at 10.36.55 AM
Screenshot 2025-02-28 at 10.36.55 AM1882×930 50.4 KB

5

If I had to guess, it may be a bug.

I see in one of your screenshots that you’re on version 1.14. I tried this using 1.17 and do not have this error.

If upgrading is an option, you may want to try that.

1 Like
6

Thank you! Will attempt an upgrade.

7

Just successfully upgraded to latest – 1.18.5
However, I am still facing the same problem where the vault UI has the ‘Rotation Statement’ input hidden.

Screenshot 2025-02-28 at 12.29.45 PM
Screenshot 2025-02-28 at 12.29.45 PM1913×933 57.8 KB

8

Github issue created - Vault UI static role creation has 'Rotation Statement' hidden on connection name input · Issue #29783 · hashicorp/vault · GitHub

9

Admittedly, I tested this with a Vault deployment I already had running, which was using the oracle plugin, instead of trying to match your setup. Sorry about that.

I tried running with version 1.18.5 using the mysql plugin, and I am seeing the same issue.

Possibly relevant, but I saw on the mysql plugin documentation, it does not list rotation_statements as be supported. source

However, to be thorough I also tested with the postgres plugin, which does list rotation_statements in its supported parameters and I get the same behavior on the UI, so I bet it is a bug.

10

Oh I see that makes sense why you were able to see it. It’s strange because I am able to make a static_role using the CLI and the API explorer with rotation statements and the MySQL db plugin. I am leaning towards this being a UI bug.

Thanks for the help!