# Register a MySQL Connection

{% hint style="info" %}
**Immuta policies will not be automatically enforced in MySQL**

While you can author and apply subscription and data policies on MySQL data sources within Immuta, these policies will not be enforced natively in the MySQL platform. You can use [Immuta webhooks](https://documentation.immuta.com/saas/developer-guides/api-intro/immuta-v1-api/configure-your-instance-of-immuta/webhooks#webhook-overview) to be notified about changes to user access and make appropriate access updates in MySQL using your own process.

To use this integration, contact your Immuta representative.
{% endhint %}

## Requirements

* Amazon RDS or Amazon Aurora for MySQL

## Permissions

The user registering the connection must have the permissions below.

* `APPLICATION_ADMIN` Immuta permission
* The MySQL user registering the connection must be the root user or have the `GRANT OPTION` MySQL privilege.

## Create a database user account

1. Create a new database user in MySQL to serve as the Immuta system account. Immuta will use this system account continuously to crawl the database you register. How you create this user depends on your [database authentication method](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/database-authentication.html). Follow the instructions linked below to create this user:
   1. [Password authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/database-authentication.html#password-authentication): Follow the [MySQL documentation](https://dev.mysql.com/doc/mysql-installer/en/server-accounts-roles.html) to create the database user and assign that user a password.
   2. [IAM database authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html):
      1. [Create the database user in MySQL.](https://dev.mysql.com/doc/mysql-installer/en/server-accounts-roles.html)
      2. [Create an IAM policy for IAM database authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html).
      3. [Create the database account](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html#UsingWithRDS.IAMDBAuth.DBAccounts.MySQL).
2. [Grant this account the following MySQL privileges](https://dev.mysql.com/doc/refman/8.4/en/grant.html). A sample command that provides all these privileges to all databases and views is provided below:

   1. `SHOW DATABASES` on all databases in the server
   2. `SELECT` on all databases, tables, and views in the server
   3. `SHOW VIEW` on all views in the server

   <pre><code>GRANT SELECT, SHOW DATABASES, SHOW VIEW ON *.* TO '<a data-footnote-ref href="#user-content-fn-1">&#x3C;user></a>'@'%';
   </code></pre>

## Register a MySQL connection

1. In Immuta, click <i class="fa-database">:database:</i> **Data** and select **Connections** in the navigation menu.
2. Click the **+ Add Connection** button.
3. Select the **MySQL** tile.
4. Select your deployment type:
   1. **Aurora**
   2. **RDS**
5. Enter the host connection information:
   1. **Display Name:** This is the name of your new connection. This name will be used in the API (`connectionKey`), in data source names from the host, and on the connections page. Avoid the use of periods (`.`) or [restricted words](#user-content-fn-2)[^2] in your connection name.
   2. **Hostname**: The URL of your MySQL instance.
   3. **Port**: The port configured for MySQL.
   4. **Region**: The region of the AWS account with your MySQL instance.
6. Select an authentication method from the dropdown menu.
   1. **AWS Access Key:** Provide the access key ID and secret access key for the [database user account you created above](#permissions).
   2. **AWS Assumed Role** (recommended): Immuta will assume this IAM role from Immuta's AWS account to request [temporary credentials](#user-content-fn-3)[^3] that it can use to perform operations in the registered MySQL database. Before proceeding, contact your Immuta representative and provide your service principal's IAM role. Immuta will allowlist the service principal so that Immuta can successfully assume that role. Your Immuta representative will provide the account to add to your trust relationship. Then, complete the steps below.
      1. Enter the **Username** of the [database user account you created above](#permissions)
      2. Enter the **Role ARN** of the [database user account you created above](#permissions).
      3. Set the **External ID** provided in a condition on the trust relationship for the role specified above. See the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) for guidance.
   3. **Username and Password**: Enter the credentials for the [MySQL database user account](#create-a-database-user-account) you created above.
7. Click **Save connection**.

[^1]: Replace **\<user>** with the database account username.

[^2]: Your display name cannot be any of the following words: `data`, `connection`, `object`, `crawl`, `search`, `settings`, `metadata`, `permission`, `sync`, `bulk`, and `upgrade`.

[^3]: AWS rotates credentials every 15 minutes, so Immuta never stores these credentials. Immuta requests a new password every 15 minutes from AWS using this IAM role.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/saas/configuration/integrations/mysql/register-a-mysql-connection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.