Hello,
I use Boundary and Vault to allow clients to access MySQL database with the help of Boundary Desktop. This MySQL database and boundary-worker are in the same subnet 192.168.50.0/24.
When clients press ‘Connect’, they are provided with temporary credentials and Proxy URL (TCP). Suppose that a client has been provided with the following access details:
- username: ‘v-token-read-XXXXXXXXXXXXXX’
- password: 1234567
- Proxy URL (TCP): 127.0.0.1:1234567
Now imagine that this client knows that there’s another user in MySQL, for example, ‘prod_applications_user_with_write_permissions’@‘192.168.50.%’ and has the needed password.
The problem is that the client can access MySQL using any of two users:
mysql -h 127.0.0.1 -P 1234567 -u v-token-read-XXXXXXXXXXXXXX -p and mysql -h 127.0.0.1 -P 1234567 -u prod_applications_user_with_write_permissions -p
How can I secure that this client can access DB only with ‘v-token-read-XXXXXXXXXXXXXX’ username and not with ‘prod_applications_user_with_write_permissions’?
Thanks in advance for your suggestions.