Enable the database secrets engine (vault secrets enable database) and configure a connection for MySQL using the mysql-database-plugin, supplying the connection URL with a privileged account that can create users
Create a Vault role (vault write database/roles/<name>) specifying creation_statements with the SQL to grant appropriate privileges, and set a TTL and max TTL for the dynamic credentials
Applications authenticate to Vault and read database/creds/<role> to receive a dynamically created username and password valid for the lease duration
Configure the application to handle lease renewal (vault lease renew) before expiry, or to re-read credentials and reconnect when a lease expires
Revoke credentials explicitly on application shutdown or credential compromise by calling vault lease revoke; Vault will drop the database user
Audit Vault's audit log to trace which application entity requested which credentials and when they were revoked
Known gotchas
The privileged connection account stored in Vault's database config must have rights to CREATE USER and GRANT; over-provisioning this account is a common risk — scope its grants carefully
Dynamic credentials have a TTL; applications that cache the credentials past the TTL will receive authentication errors — implement lease renewal or re-authentication
The database secrets engine connects to the database at request time; network interruptions between Vault and the database will cause credential issuance to fail
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp