Skip to main content
Navigation

MySQL: Read-Only User

Create a secure, minimal-privilege MySQL user for FreshGuard.

This guide walks you through creating a dedicated read-only MySQL user for FreshGuard. The user has the minimum privileges needed to run monitoring queries.

Create the User

Connect to your MySQL database as root or a user with CREATE USER and GRANT privileges, then run:

-- Create a dedicated user with a strong password
CREATE USER 'freshguard_readonly'@'%'
  IDENTIFIED BY 'your-strong-password-here';


-- Grant SELECT on the database you want to monitor
GRANT SELECT ON analytics.* TO 'freshguard_readonly'@'%';


-- Apply the changes
FLUSH PRIVILEGES;

Use a strong password

Generate a random password of at least 32 characters. Never reuse passwords from other services.

Restrict by Host

For additional security, you can restrict the user to connect only from FreshGuard’s outgoing IP addresses instead of any host (%). Find FreshGuard’s current IPs in your dashboard under Settings → Network, then create a separate user entry for each:

-- Repeat for each of FreshGuard's outgoing IP addresses
CREATE USER 'freshguard_readonly'@'<freshguard-ip>'
  IDENTIFIED BY 'your-strong-password-here';


GRANT SELECT ON analytics.* TO 'freshguard_readonly'@'<freshguard-ip>';

Multiple Databases

If you need to monitor tables across multiple databases, grant access to each:

GRANT SELECT ON analytics.* TO 'freshguard_readonly'@'%';
GRANT SELECT ON staging.* TO 'freshguard_readonly'@'%';
GRANT SELECT ON warehouse.* TO 'freshguard_readonly'@'%';
FLUSH PRIVILEGES;

Verify Permissions

Connect as the new user and confirm it can read but not write:

-- This should work
SELECT COUNT(*) FROM analytics.your_table;


-- This should fail with "INSERT command denied"
INSERT INTO analytics.your_table (id) VALUES (0);

Cloud Provider Notes

Amazon RDS for MySQL / Aurora MySQL

The setup above works as-is. Connect using the master user and run the same commands.

Google Cloud SQL for MySQL

Cloud SQL supports standard MySQL user management. Connect via Cloud SQL Proxy or the public IP (with SSL required) and run the commands above.

Azure Database for MySQL

Azure MySQL uses user@servername format for logins. Create the user as shown above; when connecting, use freshguard_readonly@yourservername.

Tip

After creating the user, enter freshguard_readonly and the password you set when connecting MySQL in FreshGuard.