You can customize access credentials and privileges for VMware Tanzu SQL with MySQL for VMs service instances.
You can customize database credentials by creating service keys with custom properties. For example, you can create read-only access credentials to activate desktop tools to connect to your databases.
The following procedures use the Cloud Foundry Command Line Interface (cf CLI). You can also use Apps Manager to do the same tasks using a graphical user interface. For information on Apps Manager, see Getting Started with Apps Manager.
Create read-only access credentials
Tanzu SQL for VMs enables space developers to create read-only credentials to give to users who need read-only access to the database. These users can audit and monitor the database without mutating or changing any data.
Any user that can create a service key can provision a fully privileged service key.
To create and find read-only credentials for an existing service instance:
-
Create a new read-only service key for a service instance by running:
cf create-service-key SERVICE-INSTANCE-NAME KEY-NAME -c '{ "read-only": true }'For example:
$ cf create-service-key mydb mykey1 -c '{ "read-only": true }' Creating service key mykey1 for service instance mydb as admin... OK -
Retrieve the read-only credentials from the service key by running:
cf service-key SERVICE-INSTANCE-NAME KEY-NAMEFor example:
$ cf service-key mydb mykey1 { "hostname": "a7113e41-7254-4f5a-a0cf-a88b052c8b10.mysql.service.internal", "jdbcUrl": "jdbc:mysql://a7113e41-7254-4f5a-a0cf-a88b052c8b10.mysql.service.internal:3306/service_instance_db?user=973eb219bd554dfc9794bc29a301bcb1\u0026password=zr3aqa847tzm6cls\u0026sslMode=VERIFY_IDENTITY\u0026useSSL=true\u0026requireSSL=true\u0026serverSslCert=/etc/ssl/certs/ca-certificates.crt", "name": "service_instance_db", "password": "zr3aqa847tzm6cls", "port": 3306, "tls": { "cert": { "ca": "-----BEGIN CERTIFICATE-----\nMIIDDzCCAfegAwIBAgIUW0tF3p3wubz+0GMH/850aVUIPnUwDQYJKoZIhvcNAQEL\nBQAwFzEVMBMGA1UEAxMMVG9vbHNtaXRoc0NBMB4XDTIwMDkyMTA2MjcxMFoXDTIx\nMDkyMTA2MjcxMFowFzEVMBMGA1UEAxMMVG9vbHNtaXRoc0NBMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5lmGmSCIkV2w1axS/vGk7GjQHnTtjhme4cO\nvT1Nbv6oWqt0Tlm+2gzGb8W7A6SsIEN33ltq4LTWEFK8t0htphDe1xkAf1Eq7jWM\nnS9aFnXyEuqw5fzWAjQMMqd3JvvZ2Z85o9NaHdi+XOlQAv9UHlWkjaSAvFoRyaC7\npI0GNF8/QpvHORdPxpyGey/LtE8FxSKb8EL1y430LT7N/PxmVmFnySItlMbBiXcA\nTkosY+9IswMwrVyYBwN65UoC7sKomjrloVNHhErm5pZv1hlEvEK116wiNY//9Wav\nAmUneQ4LpjMPYXDGhHL04mMc2ySsrFW0lI8zcYzbEQBUQN5ovwIDAQABo1MwUTAd\nBgNVHQ4EFgQUyCp0znZlP1d+vQ9U4tpzs1g/hrAwHwYDVR0jBBgwFoAUyCp0znZl\nP1d+vQ9U4tpzs1g/hrAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC\nAQEAfh26fULdpurmRdE9KKcRGVY56fFk2SbxITTIoHULtQY5pzau9KVOKGl2+czM\n875QC1YviBoonQZE8LSA1A1gaj9s+XT5/fCGRagU/ODZX/sBDJMQJjaN+/QFRhom\nXKHZ+1nCPJqSiGGDJOANtZT1Xlfz+cKreuDfPysAA+s5row17CUIcYcC0WTNgVE9\nGdkjzF9ZDakLHekkQ9F2nMmEhwRTwxwneqJzcTFqDgWiIZpzkF6Ck90Ay43mpc7N\nU/osEYJlW10NJy8+wq11yZ50T3Z8EFkkbzo9QipnfW1byY+JstVeR0uLmUzNmkyy\nNBUf8fcYBdCLr2lDvOiUGhRw6w==\n-----END CERTIFICATE-----\n\n" } }, "uri": "mysql://973eb219bd554dfc9794bc29a301bcb1:zr3aqa847tzm6cls@a7113e41-7254-4f5a-a0cf-a88b052c8b10.mysql.service.internal:3306/service_instance_db?reconnect=true", "username": "973eb219bd554dfc9794bc29a301bcb1" }Caution
In cf CLI v8, the response includes a top-level
credentialskey. Earlier versions of the cf CLI do not include a top-levelcredentialskey.
Create custom username credentials
Tanzu SQL for VMs enables space developers to create custom usernames for service keys and service bindings. You can create these credentials for users that want to access the database with a specific username.
Any user that can create a service key can provision a fully privileged service key.
To create and find custom username credentials for an existing service instance:
-
Create a new service key and username for a service-instance by running:
cf create-service-key SERVICE-INSTANCE-NAME KEY-NAME -c '{ "username": "NEW-USERNAME" }'For example:
$ cf create-service-key mydb mykey2 -c '{ "username": "myuser" }' Creating service key mykey2 for service instance mydb as admin... OK -
Retrieve the credentials from the service key by running:
cf service-key SERVICE-INSTANCE-NAME KEY-NAMEFor example:
$ cf service-key mydb mykey2
{ "hostname": "a7113e41-7254-4f5a-a0cf-a88b052c8b10.mysql.service.internal", "jdbcUrl": "jdbc:mysql://a7113e41-7254-4f5a-a0cf-a88b052c8b10.mysql.service.internal:3306/service_instance_db?user=myuser\u0026password=bdjq5o19ax4suzmg\u0026sslMode=VERIFY_IDENTITY\u0026useSSL=true\u0026requireSSL=true\u0026serverSslCert=/etc/ssl/certs/ca-certificates.crt", "name": "service_instance_db", "password": "bdjq5o19ax4suzmg", "port": 3306, "tls": { "cert": { "ca": "-----BEGIN CERTIFICATE-----\nMIIDDzCCAfegAwIBAgIUW0tF3p3wubz+0GMH/850aVUIPnUwDQYJKoZIhvcNAQEL\nBQAwFzEVMBMGA1UEAxMMVG9vbHNtaXRoc0NBMB4XDTIwMDkyMTA2MjcxMFoXDTIx\nMDkyMTA2MjcxMFowFzEVMBMGA1UEAxMMVG9vbHNtaXRoc0NBMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5lmGmSCIkV2w1axS/vGk7GjQHnTtjhme4cO\nvT1Nbv6oWqt0Tlm+2gzGb8W7A6SsIEN33ltq4LTWEFK8t0htphDe1xkAf1Eq7jWM\nnS9aFnXyEuqw5fzWAjQMMqd3JvvZ2Z85o9NaHdi+XOlQAv9UHlWkjaSAvFoRyaC7\npI0GNF8/QpvHORdPxpyGey/LtE8FxSKb8EL1y430LT7N/PxmVmFnySItlMbBiXcA\nTkosY+9IswMwrVyYBwN65UoC7sKomjrloVNHhErm5pZv1hlEvEK116wiNY//9Wav\nAmUneQ4LpjMPYXDGhHL04mMc2ySsrFW0lI8zcYzbEQBUQN5ovwIDAQABo1MwUTAd\nBgNVHQ4EFgQUyCp0znZlP1d+vQ9U4tpzs1g/hrAwHwYDVR0jBBgwFoAUyCp0znZl\nP1d+vQ9U4tpzs1g/hrAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC\nAQEAfh26fULdpurmRdE9KKcRGVY56fFk2SbxITTIoHULtQY5pzau9KVOKGl2+czM\n875QC1YviBoonQZE8LSA1A1gaj9s+XT5/fCGRagU/ODZX/sBDJMQJjaN+/QFRhom\nXKHZ+1nCPJqSiGGDJOANtZT1Xlfz+cKreuDfPysAA+s5row17CUIcYcC0WTNgVE9\nGdkjzF9ZDakLHekkQ9F2nMmEhwRTwxwneqJzcTFqDgWiIZpzkF6Ck90Ay43mpc7N\nU/osEYJlW10NJy8+wq11yZ50T3Z8EFkkbzo9QipnfW1byY+JstVeR0uLmUzNmkyy\nNBUf8fcYBdCLr2lDvOiUGhRw6w==\n-----END CERTIFICATE-----\n\n" } }, "uri": "mysql://myuser:bdjq5o19ax4suzmg@a7113e41-7254-4f5a-a0cf-a88b052c8b10.mysql.service.internal:3306/service_instance_db?reconnect=true", "username": "myuser" }Caution
In cf CLI v8, the response includes a top-level
credentialskey. Earlier versions of the cf CLI do not include a top-levelcredentialskey.
