Octelium Logo
Documentation
Passwordless Access to PlanetScale DB

You can seamless zero trust, secret-less access to Planetscale or any SaaS MySQL-based database (read more about MYSQL Services here) without having to share and manage passwords and roles (read more about secret-less access here).

First we need to create a Secret for the database's password as follows:

octeliumctl create secret psdb-password

Now we use the database information (namely the address, user, database and the password Secret name) to create a Service for our database as follows:

1
kind: Service

2
metadata:

3
  name: psdb

4
spec:

5
  mode: MYSQL

6
  port: 3306

7
  config:

8
    upstream:

9
      url: mysql://aws.connect.psdb.cloud

10
    mysql:

11
      user: <USER>

12
      database: <DB>

13
      auth:

14
        password:

15
          fromSecret: psdb-password

16
      isTLS: true

You can now apply the creation of the Service as follows (read more here):

octeliumctl apply /PATH/TO/SERVICE.YAML
NOTE

Note that you can also provide dynamic secret-less access where you can set different users, databases and passwords for different Users under different contexts. Read more about dynamic configuration here.

NOTE

You might also want to read about MYSQL mode access control here and access logs here

Now after connecting to the Cluster via the octelium connect command (read more about connecting to Clusters here), we can access the database with whatever relevant tool such as the mysql CLI as follows:

mysql -h psdb

You can also provide dynamic secret-less access where you can set different users, databases and passwords for different Users under different contexts. Read more about dynamic configuration here. Here is an example where Users belonging to the production or admins Groups access a production database while the rest access a development database:

1
apiVersion: core/v1

2
kind: Service

3
metadata:

4
  name: psdb

5
spec:

6
  mode: MYSQL

7
  port: 3306

8
  dynamicConfig:

9
    configs:

10
      - name: production

11
        upstream:

12
          url: mysql://aws.connect.psdb.cloud

13
        mysql:

14
          user: production-user

15
          database: production-db

16
          auth:

17
            password:

18
              fromSecret: prod-password

19
          isTLS: true

20
      - name: development

21
        upstream:

22
          url: mysql://aws.connect.psdb.cloud

23
        mysql:

24
          user: dev-user

25
          database: dev-db

26
          auth:

27
            password:

28
              fromSecret: dev-password

29
          isTLS: true

30
    rules:

31
      - condition:

32
          match: ctx.user.spec.groups.hasAny("production", "admins")

33
        configName: production

34
      - condition:

35
          matchAny: true

36
        configName: development
NOTE

You might also want to read about Octelium's MySQL L7 aware access control here

Octelium also provides OpenTelemetry-ready, application-layer L7 aware visibility and access logging in real time (see an example for PostgreSQL here). You can read more about visibility here.

© 2025 octelium.comOctelium Labs, LLCAll rights reserved
Octelium and Octelium logo are trademarks of Octelium Labs, LLC.
WireGuard is a registered trademark of Jason A. Donenfeld
AboutContactEnterprise
Privacy PolicyTerms