# MySQL

### Overview

The Veza MySQL integration provides visibility into database security posture by discovering local users, roles, resources, and permissions within a MySQL instance. This integration enables security teams and database administrators to:

* Map and monitor access across databases, tables, triggers and routines
* Analyze role-based access control (RBAC) including privilege inheritance
* Identify users and roles with elevated privileges
* Track permission delegation through grant options
* Monitor administrative capabilities and sensitive operations

For managed MySQL instances, see [RDS MySQL](/4yItIzMvkpAvMVFAamTf/integrations/integrations/aws/rds-mysql.md) documentation.

### Configuring MySQL

Veza requires a MySQL user with read-only permissions to discover resources and permissions. Connect to your database, and execute the following commands to create a Veza User and grant the needed privileges for discovery. Replace `[veza_user]` with the name of the actual database user you want to create:

```sql
CREATE USER '[veza_user]'@'%' IDENTIFIED BY '[your-strong-password]';

GRANT REFERENCES ON *.* TO [veza_user];
GRANT SELECT ON mysql.user TO [veza_user];
GRANT SELECT ON mysql.db TO [veza_user];
GRANT SELECT ON mysql.tables_priv TO [veza_user];
GRANT SELECT ON mysql.columns_priv TO [veza_user];
GRANT SELECT ON mysql.global_grants TO [veza_user];
GRANT SELECT ON mysql.procs_priv TO [veza_user];
GRANT SELECT ON mysql.proxies_priv TO [veza_user];

-- Only if MySQL version is up to 5.7
GRANT SELECT ON mysql.proc TO [veza_user];

-- Only if MySQL version is 8+
GRANT SELECT ON mysql.role_edges TO [veza_user];
GRANT SHOW_ROUTINE ON *.* TO [veza_user];

-- If including triggers
GRANT TRIGGER ON *.* TO [veza_user];
```

### Configuring MySQL on the Veza Platform

1. Before configuring the integration, you must have:
   * Network connectivity from Veza to your MySQL server via:
     * A deployed [Insight Point](/4yItIzMvkpAvMVFAamTf/integrations/connectivity/insight-point.md) in your network (recommended for production)
     * Direct connection using Veza's internal Insight Point (suitable for testing)
2. On the Veza **Integrations** page select **Add Integration** and locate the MySQL tile. Configure the integration with the following fields:
   * **Insight Point**: Choose whether to use the default data plane or a deployed Insight Point
   * **Name**: A friendly name to identify the unique integration
   * **Host**: The hostname or IP address of the MySQL server.
   * **Port**: The port number on which the MySQL server is listening (default is usually 3306).
   * **Username**: The username to authenticate with the MySQL server.
   * **Password**: The password associated with the provided username.
3. Click *Create Integration* to save the configuration

#### Using AWS Secrets Manager (Optional)

Instead of storing credentials in Veza, you can use AWS Secrets Manager for standalone MySQL databases (also supported for PostgreSQL, Oracle, SQL Server, MongoDB, and Cassandra):

1. **Create the integration with empty username/password fields** When creating the integration in the Veza UI, leave the **Username** and **Password** fields empty. Do not enter any values in these fields.
2. **Configure secrets mapping via API** with IAM role parameters (`aws_assume_role_name` and `aws_assume_role_external_id`)

For complete setup instructions, see [AWS Secrets Manager for Database Extraction](/4yItIzMvkpAvMVFAamTf/integrations/integrations/aws/secrets-manager-for-databases.md).

### Enabling Lifecycle Management

To support lifecycle management capabilities, the MySQL user needs these additional write permissions:

```sql
Lifecycle Management permissions

 GRANT CREATE USER ON . TO [veza_user];
 GRANT DROP USER ON . TO [veza_user];
 GRANT ALTER USER ON . TO [veza_user];
 GRANT GRANT OPTION ON . TO [veza_user];

```

### Supported Entities

Veza discovers the following MySQL entities:

* MySQL Instance
* MySQL Database
* MySQL Local User
* MySQL Local User Instance
* MySQL Role
* MySQL Role Instance
* MySQL Routine (Function/Procedure)
* MySQL Table
* MySQL Trigger

#### MySQL Local User Instance attributes

| Attribute               | Description                                                                                                                                                                                |
| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `authentication_plugin` | The authentication plugin used for this user. Common values: `mysql_native_password`, `caching_sha2_password`, `sha256_password`, `AWSAuthenticationPlugin` (RDS IAM auth), `auth_socket`. |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/mysql.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.