Skip to main content

ServiceNow MySQL Database Authentication

1. Infrastructure

GitHub repo: hmcts/servicenow-infrastructure

Pipeline: hmcts.servicenow-infrastructure

2. Azure Resources

  • Resource Group: rg-servicenow-prod
  • Storage Account: servicenowprodukssa
  • MySQL Flexible Server: servicenow-mysql-prod

3. Prerequisites

  • brew install mysql-client

4. Authentication Setup

Creating required entra groups, access packages and updating the MySQL Flexible server to support authentication.

4.1 Create Entra Groups and Assign Users

First the following entra groups were created via the azure-access repo in the users>groups.yaml - DTS ServiceNow MySQL DB Access for Administrators - DTS ServiceNow MySQL DB Access for Users

Then added the required group to the user in the prod_users.yaml e.g. - name: Natasha.Gharssa@justice.gov.uk groups: - DTS ServiceNow MySQL DB Access for Administrators

4.2 Create Access Packages

Next use the azure-access-packages repo to create the two access packages - Production MySQL Administrative Access SC - Production MySQL User Access SC

First add the new entra groups create earlier to the entitlement-catalogs.yml to the Databases catalog e.g. - name: "Databases" description: "Grants access to databases" published: true externally_visible: true resources: - "DTS ServiceNow MySQL DB Access for Administrators" - "DTS ServiceNow MySQL DB Access for Users"

Next create two new entitlement-packages to the entitlement-packages.yml by using previous packages as a guide “` - name: "Production MySQL Administrative Access SC” description: “Grants admin access to MySQL SeviceNow Flexible Server” catalog_name: “Databases” policies: - name: “self-approval-with-justification” requestor_groups: - “DTS Platform Operations SC” resource_roles: - “DTS ServiceNow MySQL DB Access for Administrators”

   - name: "Production MySQL User Access SC"
     description: "Grants user access to MySQL SeviceNow Flexible Server"
     catalog_name: "Databases"
     policies:
       - name: "self-approval-with-justification"
         requestor_groups:
           - "DTS Platform Operations SC"
     resource_roles:
       - "DTS ServiceNow MySQL DB Access for Users"
```

4.3 Adding support for authentication using Entra ID and setting Administrator

The following PR was created to add support for Entra ID authentication, to allow users to log in using Microsoft Entra ID within the ServiceNow infrastructure. It implements and updates logic to assign or set an administrator role or permissions for example the creation of the “azurerm_user_assigned_identity” resource and configuration of the MySQL admin_group.

Support Entra ID auth and set admin

5. Setting up Azure AD group ‘DTS ServiceNow MySQL DB Access for Users’ with read-only permissions

Create an Azure AD user and maps the user to “ServiceNowReaders” CREATE AADUSER 'DTS ServiceNow MySQL DB Access for Users' AS SerivceNowReaders;

Grant read-only permissions to the ServiceNowReaders user aka DTS ServiceNow MySQL DB Access for Users GRANT SELECT ON servicenow.* TO 'SerivceNowReaders'@'%';

Then reload the MySQL’s privilege tables from disk so the permission changes happen straight away FLUSH PRIVILEGES;

6. Logging onto MySQL Flexible Server

Ensure you have requested and received the following access packages - Production MySQL Administrative Access SC - Administrative Access - Production Bastion Server And connected to the F5 VPN

Next open a terminal and ssh onto the bastion-prod.platform.hmcts.net jumpbox to create a tunnel from your local machine. This allows you to connect via a local port and use mysql commands from you terminal. ssh -L 3306:servicenow-mysql-prod.mysql.database.azure.com:3306 bastion-prod.platform.hmcts.net Next - keeping the current terminal window open- open a new window and run the command to load the token need to connect to the database TOKEN=$(az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken) Finally you can run mysql command below to connect to the database using Administrator or User privileges. mysql -h 127.0.0.1 --user "<username>" --enable-cleartext-plugin --password=$TOKEN username for Administrators: DTS ServiceNow MySQL DB Access for Administrators username for Users: DTS ServiceNow MySQL DB Access for Users

7. References

This page was last reviewed on 8 October 2025. It needs to be reviewed again on 8 January 2026 by the page owner platops-build-notices .
This page was set to be reviewed before 8 January 2026 by the page owner platops-build-notices. This might mean the content is out of date.