From MySQL 8.0.21 onwards, START GROUP_REPLICATION includes new options which allow a user to specify credentials to be used for distributed recovery. You can now pass credentials when invoking START GROUP_REPLICATION instead of setting them when configuring the group_replication_recovery channel.

• USER: User name. Cannot be set to an empty or null string or left unset if PASSWORD is used.
• PASSWORD: Password.
• DEFAULT_AUTH: Name of the authentication plugin; default is MySQL native authentication.

When credentials are passed as parameters to START GROUP_REPLICATION command, credentials are not persisted.
Therefore, when group replication stops or the server is restarted, credentials are removed from memory.
These credentials are used for authenticating against donor servers during the different phases of the distributed recovery.
They are used during the initial state transfer (cloning) phase, if one is deemed needed, and they are used during the catch up phase.

Credentials passed on the START GROUP_REPLICATION statement take precedence over credentials that are persisted in the group_replication_recovery channel configuration.
In other words, if credentials are passed on the start statement those are the ones used, otherwise the system falls back to checking the credentials stored in the channel configuration, as it does before 8.0.21.

When group replication is stopped using STOP GROUP_REPLICATION command or the server is restarted, stored credentials are removed from memory.

These parameters are limited to START GROUP_REPLICATION command and hence cannot be used along with group_replication_start_on_boot option.

Examples:

Conclusion

As of MySQL 8.0.21 Group Replication now allows distributed recovery credentials to be passed as command parameters.