How the password is changed
When a MySQL account rotates, the rotation account connects to the target database and runs:'%' (any-host) grant, so the target user must be defined for that host. The connection uses the account’s existing connection details, including the SSL settings.
Rotation account requirements
- Self-rotation: a user can change its own password, so no extra privileges are needed.
- Delegated rotation: the rotation account needs the global
CREATE USERprivilege (orUPDATEon themysqlsystem database) to alter another user’s password.