# Register a MariaDB Connection

{% hint style="info" %}
**Immuta policies will not be automatically enforced in MariaDB**

While you can author and apply subscription and data policies on MariaDB data sources within Immuta, these policies will not be enforced natively in the MariaDB platform. You can use [Immuta webhooks](https://documentation.immuta.com/saas/developer-guides/api-intro/immuta-v1-api/configure-your-instance-of-immuta/webhooks#webhook-overview) to be notified about changes to user access and make appropriate access updates in MariaDB using your own process.

To use this integration, contact your Immuta representative.
{% endhint %}

## Requirement

* Amazon RDS for MariaDB

## Permissions

The user registering the connection must have the permissions below.

* `APPLICATION_ADMIN` Immuta permission
* The MariaDB user setting up the connection must be the root user or have the `GRANT OPTION` MariaDB privilege.

## Create a database user account

1. Create a new database user in MariaDB to serve as the Immuta system account. Immuta will use this system account continuously to crawl the database you register. How you create this user depends on your [database authentication method](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/database-authentication.html). Follow the instructions linked below to create this user:
   1. [Password authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/database-authentication.html#password-authentication): Follow the [MariaDB documentation](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/create-user) to create the database user and assign that user a password.
   2. [IAM database authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html):
      1. [Create the database user in MariaDB.](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/create-user)
      2. [Create an IAM policy for IAM database authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html).
      3. [Create the database account](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/grant).
2. [Grant this account the following MariaDB privileges](https://dev.mysql.com/doc/refman/8.4/en/grant.html). A sample command that provides all these privileges to all databases and views is provided below:

   1. `SHOW DATABASES` on all databases in the server
   2. `SELECT` on all databases, tables, and views in the server
   3. `SHOW VIEW` on all views in the server

   <pre><code>GRANT SELECT, SHOW DATABASES, SHOW VIEW ON *.* TO '<a data-footnote-ref href="#user-content-fn-1">&#x3C;user></a>'@'%';
   </code></pre>

## Register a MariaDB connection

1. In Immuta, click <i class="fa-database">:database:</i> **Data** and select **Connections** in the navigation menu.
2. Click the **+ Add Connection** button.
3. Select the **MariaDB** tile.
4. Select **RDS** as the deployment method.
5. Enter the host connection information:
   1. **Display Name:** This is the name of your new connection. This name will be used in the API (`connectionKey`), in data source names from the host, and on the connections page. Avoid the use of periods (`.`) or [restricted words](#user-content-fn-2)[^2] in your connection name.
   2. **Hostname**: URL of your MariaDB instance.
   3. **Port**: Port configured with MariaDB.
   4. **Region**: The region of the AWS account with your MariaDB instance.
6. Select an authentication method from the dropdown menu.
   1. **AWS Access Key:** Provide the access key ID and secret access key for the [database account you created above](#create-a-database-user-account).
   2. **AWS Assumed Role** (recommended): Immuta will assume this IAM role from Immuta's AWS account to request [temporary credentials](#user-content-fn-3)[^3] that it can use to perform operations in the registered MariaDB database. Before proceeding, contact your Immuta representative and provide your service principal's IAM role. Immuta will allowlist the service principal so that Immuta can successfully assume that role. Your Immuta representative will provide the account to add to your trust relationship. Then, complete the steps below.
      1. Enter the **Role ARN** of the [database account you created above](#permissions).
      2. Set the **external ID** provided in a condition on the trust relationship for the role specified above. See the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) for guidance.
   3. **Username and Password**: Enter the credentials for the [MariaDB database user account](#create-a-database-user-account) you created above.
7. Click **Save connection**.

[^1]: Replace **\<user>** with the database account username.

[^2]: Your display name cannot be any of the following words: `data`, `connection`, `object`, `crawl`, `search`, `settings`, `metadata`, `permission`, `sync`, `bulk`, and `upgrade`.

[^3]: AWS rotates credentials every 15 minutes, so Immuta never stores these credentials. Immuta requests a new password every 15 minutes from AWS using this IAM role.