What is the recommended way to rotate vault token for mysql?

Yash_Daga · June 2, 2026, 9:21am

I want to rotate the vault token inside the keyring.conf file, but I was concerned that if mysql only reads the token at startup and stores it in memory, how would it know when to read a fresh token from the keyring.conf file after the token has expired.

I found Best Practice for Automatic Vault Token Generation and Percona keyring_vault plugin - #2 by LukeYangJMA which mentions that we can run:

mysql> UNINSTALL PLUGIN keyring_vault;
mysql> INSTALL PLUGIN keyring_vault SONAME 'keyring_vault.so';

to refresh the token loaded in memory.

i wanted to ask if this is the best way to handle token rotation or is there something else as well?

matthewb · June 2, 2026, 5:15pm

Hello @Yash_Daga,
Since there is no built-in function to reload the keyring config, you’ll have to uninstall the plugin, then reinstall it to force a reload. You can open a feature request at https://jira.percona.com for a native function to be added to the plugin.

Yash_Daga · June 3, 2026, 9:45am

Thanks for the quick response @matthewb, just wanted to ask if you have any recommended way of handling vault access to mysql, is it via tokens or by k8s service token auth?

matthewb · June 4, 2026, 5:31pm

I believe the mysql plugin only supports direct tokens.

Topic		Replies	Views
Best Practice for Automatic Vault Token Generation and Percona keyring_vault plugin Percona Server for MySQL 8.0	2	2399	November 14, 2022
Rotating vault token and master key, and backing up the vault keys? Percona Server for MySQL 8.0 community , mysql , percona	3	1608	June 15, 2021
Percona Hashicorp Encryption Token Renewal MySQL & MariaDB mysql , percona	1	980	April 6, 2023
Cron Job / Event Scheduler for Vault Token Rotation Percona Server for MySQL 8.0 closed-no-reply	0	1045	June 28, 2022
Token rotation with Hashicorp Vault integration Percona Server for MongoDB	4	310	April 2, 2026

What is the recommended way to rotate vault token for mysql?

Related topics