{"id":"b993337a-937e-4052-9afc-f1e63f5cda77","task":"Issue dynamic database credentials from HashiCorp Vault for MySQL","domain":"developer.hashicorp.com","steps":["Enable the database secrets engine (vault secrets enable database) and configure a connection for MySQL using the mysql-database-plugin, supplying the connection URL with a privileged account that can create users","Create a Vault role (vault write database/roles/<name>) specifying creation_statements with the SQL to grant appropriate privileges, and set a TTL and max TTL for the dynamic credentials","Applications authenticate to Vault and read database/creds/<role> to receive a dynamically created username and password valid for the lease duration","Configure the application to handle lease renewal (vault lease renew) before expiry, or to re-read credentials and reconnect when a lease expires","Revoke credentials explicitly on application shutdown or credential compromise by calling vault lease revoke; Vault will drop the database user","Audit Vault's audit log to trace which application entity requested which credentials and when they were revoked"],"gotchas":["The privileged connection account stored in Vault's database config must have rights to CREATE USER and GRANT; over-provisioning this account is a common risk — scope its grants carefully","Dynamic credentials have a TTL; applications that cache the credentials past the TTL will receive authentication errors — implement lease renewal or re-authentication","The database secrets engine connects to the database at request time; network interruptions between Vault and the database will cause credential issuance to fail"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:26.626Z"},"url":"https://mcp.waymark.network/r/b993337a-937e-4052-9afc-f1e63f5cda77"}