component_keyring_aws
is an extension
included in MySQL Enterprise Edition, a commercial product. To learn more about
commercial products, see https://www.mysql.com/products/.
The AWS Keyring component is intended to replace the AWS Keyring plugin, which is now deprecated. See Migration from AWS keyring plugin.
The component_keyring_aws
keyring component
stores keyring data in an encrypted, password-protected file
local to the server host.
component_keyring_aws
supports the functions
that comprise the standard MySQL Keyring service interface.
Keyring operations performed by those functions are accessible
in SQL statements as described in
Section 8.4.4.13, “General-Purpose Keyring Key-Management Functions”.
Example:
SELECT keyring_key_generate('MyKey', 'AES', 32);
SELECT keyring_key_remove('MyKey');
For information about the characteristics of key values
permitted by component_keyring_aws
, see
Section 8.4.4.11, “Supported Keyring Key Types and Lengths”.
To use component_keyring_aws
for keystore
management, you must:
Write a manifest that tells the server to load
component_keyring_aws
, as described in Section 8.4.4.2, “Keyring Component Installation”.For
component_keyring_aws
, the contents of the manifest file are shown here:{ "components": "file://component_aws_keyring" }
Write a configuration file for
component_keyring_aws
, as described in AWS Keyring Component Configuration.
The AWS keyring component supports two authentication modes,
simple and native, as determined by the value of the
aws_authentication.mode
parameter specified
in component_keyring_aws.cnf
. This
parameter is required. Configuration of the component for
supporting each of these modes can be found in
Simple authentication mode,
and
Native authentication mode,
respectively.
When it initializes, component_keyring_aws
read a component configuration file
~/.aws/component_keyring_aws.cnf
(Linux
and MacOS) or
%USERPROFILE%.aws\component_keyring_aws.cnf
(Windows). You can override this by setting the
AWS_CONFIG_FILE
environment variable.
In some cases, additional information can be read from an AWS configuration file, a credentials file, or both. These files are described later in this section.
If component_keyring_aws
cannot find the
configuration file, an error results, and the component cannot
initialize.
The component_keyring_aws.cnf
component
configuration file must be in valid JSON format. Configuration
items supported in this file are shown in the following table:
Table 8.31 component_keyring_aws.cnf Configuration Items
Parameter | Parent | Description | Valid | Required | Default | Permitted values |
---|---|---|---|---|---|---|
cmk_id | — | Customer Master Key (CMK) identifier obtained from AWS KMS server | — | Yes | — | — |
data_file | — | Location of component JSON storage file | — | Yes | — | — |
cache_keys | — | true : Keys cached in memory in plaintext;
false : Keys decrypted when accessed | — | No | false | true , false |
mode | aws_authentication | AWS authentication mode | — | Yes | — | native , simple |
profile | aws_authentication | Name of AWS profile used by AWS native authentication | When aws_authentication.mode is
native | No | default | — |
region | aws_authentication | AWS region | When aws_authentication.mode is
simple | Yes, when aws_authentication.mode is
simple | — | — |
access_key_id | aws_authentication | AWS acccess key identifier | When aws_authentication.mode is
simple | Yes, when
| — | — |
access_key_secret | aws_authentication | AWS acccess key secret | When aws_authentication.mode is
simple | Yes, when
| — | — |
connect_timeout_ms | aws_connection | Socket connection timeout | No | 1000 | — | |
host | aws_connection.proxy | Proxy host | — | No | — | — |
port | aws_connection.proxy | Proxy port | — | No | — | — |
user | aws_connection.proxy | Proxy user name | — | No | — | — |
password | aws_connection.proxy | Proxy user password | — | No | — | — |
read_only | — | When true , no operations which modify the keyring are
allowed | — | No | false | true , false |
Component configuration file parameters that are not valid are
ignored. For example,
aws_authentication.access_key_id
and
aws_authentication.access_key_secret
have
no effect when the aws_authentication.mode
is native
.
The database administrator has the responsibility for creating any configuration files to be used, and for ensuring that their contents are correct. If an error occurs, server startup fails; the administrator must correct any issues indicated by diagnostic messages in the server error log.
Any configuration file that stores a password should have a restrictive mode and be accessible only to the account used to run the MySQL server.
Given the preceding configuration file items, to configure
component_keyring_aws
, create a component
configuration file named
component_keyring_aws.cnf
in the
directory indicated previously.
A read/write keyring data file using JSON format, whose
location is determined by the data_file
configuration item, is also required; the following
instructions assume that such a file exists at
/usr/local/mysql/keyring.json
. An example
of its content is shown here:
{
"version":"1.0","elements":
[
{
"user":"mary@%",
"data_id":"key0",
"data_type":"AES",
"data":"0102010078865A35D86559D92C3124146819057E927382E061F6EA7613DF2B9B
E72FB0E62C01A1CF92B96934CB08D42D231CF6828A420000006E306C06092A864886F70D010706A0
5F305D020100305806092A864886F70D010701301E060960864801650304012E3011040C19F809F2
7900EACEF99DE2B4020110802BEDA406610AF033504B601C5EC937EFB9F38BB631F68856FF7FA81E
637FCC400BA35900929E99E628E1B3E7",
"extension":[]
},
{
"user":"mary@%",
"data_id":"key1",
"data_type":"AES",
"data":"0102010078865A35D86559D92C3124146819057E927382E061F6EA7613DF2B9B
E72FB0E62C017CAA36B2F756892C3AFCAA074A13E655000001043082010006092A864886F70D0107
06A081F23081EF0201003081E906092A864 886F70D010701301E060960864801650304012E30110
40CCDECB095F68DE68BC331A0730201108081BB52EF64775CCE3DD47ADD8C274A297EB1A6E988085
C0036D0AAE64DE50BB7D5AC020A12BF70",
"extension":[]
},
{
"user":"john@%",
"data_id":"key2",
"data_type":"AES",
"data":"0102010078865A35D86559D92C3124146819057E927382E061F6EA7613DF2B9B
E72FB0E62C01BB9CC22B82E3DB50C76FD855DE0CB305000001043082010006092A864886F70D0107
06A081F23081EF0201003081E906092A864886F70D010701301E060960864801650304012E301104
0C778A6EDBA93A1FF27D82F5340201108081BB809B9599C191BF0DF1F7721DB2915F7A02A5928981
BF9264D9B76BE41046C3B5AF60006F4A",
"extension":[]
}
]
}
Each of the data
values just shown
consists of a single line; the values have been wrapped here
to fit within the confines of the viewing space.
Keyring operations are transactional:
component_keyring_aws
uses a backup file
during write operations to ensure that it can roll back to the
original file if an operation fails. The backup file has the
same name as the data file with the added suffix
.backup
.
component_keyring_aws
configuration files
may not be placed anywhere within the MySQL server data
directory.
You must also choose a password.
This mode provides ease of use when more advanced AWS
mechanisms are not needed. (This also simplifies upgrading
from the legacy AWS keyring plugin to the component; see
Migration from AWS keyring plugin.)
The config
and
credentials
files are not used in this
case; the configuration is read from the global
component_keyring_aws.cnf
only. To enable
simple authentication mode, set
aws_authentication.mode
to
simple
in this file.
In simple mode, the component uses the access key ID and
secret obtained from AWS, which are also set in
component_keyring_aws.cnf
, as the values
of the aws_authentication.access_key_id
and
aws_authentication.access_key_secret
configuration items. In addition, you must specify a region
using aws_authentication.region
.
The contents of a sample
component_keyring_aws.cnf
that meets the
requirements for enabling simple authentication mode are shown
here:
{
"cmk_id": "arn:aws:kms:us-east-1:79566666666:key/d0111111-1111-1111-1111-999999999abd",
"data_file": "/usr/local/mysql/keyring.json",
"cache_keys": "true",
"aws_authentication":
{
"mode": "simple",
"region": "us-east-1",
"access_key_id": "wwwwwwwwwwwwwEXAMPLE",
"access_key_secret": "xxxxxxxxxxxxx/yyyyyyy/zzzzzzzzEXAMPLEKEY"
}
}
When aws_authentication.mode
is
native
, the AWS keyring component uses the
standard AWS authentication configuration mechanism (see
AWS
SDKs and Tools: Configuration) and the AWS profile
specified in the component configuration file. The source for
AWS credentials in this case is the AWS default credentials
provider chain (see
AWS
SDKs and Tools: Standardized credential providers).
Enabling AWS native authentication mode with the AWS Keyring component are more complex, but includes the following advantages:
Conformance with standard AWS client behavior
Support for authentication configuration methods other than storing long-term secrets in the same file as other configuration items.
Possible to leverage the role connected to an AWS container or compute node, thus improving security.
More flexible configuration, since a wider range of parameters—such as timeouts, proxying, and use of a CA—is available then with the alternative mode.
To enable AWS native authentication,
aws_authentication.mode
must be set to
native
in the
component_keyring_aws.cnf
file, as shown
here:
{
"cmk_id": "arn:aws:kms:us-east-1:79566666666:key/d0111111-1111-1111-1111-999999999abd",
"data_file": "/usr/local/mysql/keyring.json",
"cache_keys": true,
"aws_authentication":
{
"mode": "native"
}
}
Configuration of the component for AWS native authentication is based on a chain of credentials providers. Each provider uses a different source for credentials; possible sources include files, environment variables, and external services. Credential providers are called in the order specified by the default providers chain described in the next few paragraphs.
Default credentials provider chain. A credentials provider chain consists of one or more credential providers. Each such provider provides credentials taken from a different source. Providers are called until credentials are provided and collected for further use. The default chain consists of the credential providers listed here together with the credentials each of them provides:
EnvironmentAWSCredentialsProvider
: AWS access keys taken from environment variables (see AWS SDKs and Tools: AWS access keys for details). This is convenient in development or other short-term environments, but not recommended for production.ProfileConfigFileAWSCredentialsProvider
: AWS access keys taken from a credentials file *default section (see AWS SDKs and Tools: AWS access keys). This is recommended for MySQL server running outside of AWS.ProcessCredentialsProvider
: AWS access keys taken from the output of an external command specified by thecredential_process
AWS configuration parameter. The output of this command must be inJSON
format (see AWS SDKs and Tools: Process credential provider).STSAssumeRoleWebIdentityCredentialsProvider
: A set of temporary security credentials for a specific role (see AWS SDKs and Tools: Assume role credential provider).SSOCredentialsProvider
: Credentials from the AWS IAM Identity Center (see AWS SDKs and Tools: IAM Identity Center credential provider).TaskRoleCredentialsProvider
: Credentials for use within an AWS ECS container (see AWS SDKs and Tools: Amazon ECS task role). This is recommended when the MySQL server runs within an AWS ECS container.InstanceProfileCredentialsProvider
: Credentials loaded from the Amazon EC2 Instance Metadata Service (IMDS) (see AWS SDKs and Tools: IMDS credential provider). This is recommended when the MySQL server runs in an AWS EC2 node.
To use AWS native authentication,
aws_authentication.mode
must be set to
native
in the
component_keyring_aws.cnf
file, as shown
here:
{
"cmk_id": "arn:aws:kms:us-east-1:79566666666:key/d0111111-1111-1111-1111-999999999abd",
"data_file": "/usr/local/mysql/keyring.json",
"cache_keys": true,
"aws_authentication":
{
"mode": "native"
}
}
The AWS configuration file (config
) uses
INI format similar to that employed in the MySQL Server
my.cnf
file. You can specify a section of
this file to be read by setting
aws_authentication.profile
. For example,
setting aws_authentication.profile
to
mysql
causes the component to read the
[mysql]
section of
config
, as shown here:
{
"cmk_id": "arn:aws:kms:us-east-1:79566666666:key/d0111111-1111-1111-1111-999999999abd",
"data_file": "/usr/local/mysql/keyring.json",
"cache_keys": true,
"aws_authentication":
{
"mode": "native",
"profile": "mysql"
}
}
If aws_authentication.profile
is not
specified, the component tries to read the
config
file section labelled
[default]
.
The AWS keyring component also supports an AWS
credentials
file to act as a source of
credentials for the provider
ProfileConfigFileAWSCredentialsProvider
as
described later in this section's discussion of native
authentication mode. This file's location is determined
in the same way as that of the
component_keyring_aws.cnf
and
config
files. To override the default for
the credentials
file
(%USERPROFILE%\.aws\credentials
for
Windows, ~/.aws/credentials for Linux or
MacOS
), set the
AWS_SHARED_CREDENTIALS_FILE
environment
variable to the desired location.
To migrate from the AWS keyring plugin to the AWS keyring component, it is necessary to perform the following steps:
Create an equivalent configuration for the component:
Write a local or global manifest file
mysqld.my
(see Section 8.4.4.2, “Keyring Component Installation”). The content of the file must match what is shown here:{ "components": "file://component_keyring_aws" }
Write a component configuration file
component_keyring_aws.cnf
as described in Section 8.4.4.4, “Using the component_keyring_file File-Based Keyring Component” (in the example forcomponent_keyring_file
). See also the instructions given for configuration simple configuration section. In particular, the value of thecmk_id
configuration item used by the component must be set to the that of thekeyring_aws_cmk_id
used by the plugin; similarly, theaws_region
item's value must be set to the value ofkeyring_aws_region
. For example:{ "cmk_id": "arn:aws:kms:us-east-1:79566666666:key/d0111111-1111-1111-1111-999999999abd", "data_file": "/usr/local/mysql/keyring.json", "cache_keys": true, "aws_authentication": { "mode":"simple", "region": "us-east-1", "access_key_id": "wwwwwwwwwwwwwEXAMPLE", "access_key_secret": "xxxxxxxxxxxxx/yyyyyyy/zzzzzzzzEXAMPLEKEY" } }
Values of the access key ID and secret just shown must be copied from the
keyring_aws
configuration file used by the AWS keyring plugin (see Section 8.4.4.7, “Using the keyring_aws Amazon Web Services Keyring Plugin”).
Perform key migration as described in Section 8.4.4.12, “Migrating Keys Between Keyring Keystores”.
Uninstall the plugin.