MySQL Connections

MySQL connections enable agents to query MySQL databases.

Recommended: Create and manage connections via the web UI at https://ui.{deployment}.firetigerapi.com/settings/connections

Network Configuration

Firetiger’s query servers must be able to reach your database. Choose the appropriate networking setup based on your database configuration:

1. Private Network Database

Scenario: Database runs in a private VPC/network (AWS, GCP, Azure)

Solution: Set up a private network connection:

  • AWS: Configure AWS PrivateLink
  • GCP: Configure Private Service Connect
  • Azure: Configure Private Link

Contact Firetiger support to coordinate private network setup.

2. Public Database with IP Allowlist

Scenario: Database accepts public connections but restricts access by IP address

Solution: Add Firetiger’s static IP addresses to your database’s allowlist

  • Contact Firetiger support to obtain the static IP addresses for your deployment’s query servers
  • Add these IPs to your database firewall rules or security groups

3. Public Database with Standard Authentication

Scenario: Database accepts public connections with username/password authentication

Solution: No special networking configuration needed

  • Ensure your database accepts connections on the standard MySQL port (3306)
  • Verify firewall allows inbound connections from the internet
  • Use ssl_mode: "VERIFY_IDENTITY" for secure connections

Connection Parameters

A MySQL connection requires the following configuration:

Required Parameters

Parameter Type Description
host string Database hostname or IP address (e.g., db.example.com)
port int32 Database port number (typically 3306)
database string Name of the database to connect to
username string Username for authentication
password string Password for authentication (stored securely as a secret)

Optional Parameters

Parameter Type Description Default
ssl_mode string SSL/TLS connection mode (see below) PREFERRED
read_only bool Enable database-level read-only enforcement false

SSL Modes

The ssl_mode parameter controls how the connection encrypts data in transit. Choose the appropriate mode based on your security requirements:

Mode Description Use When
DISABLED No SSL encryption Not recommended - Only for local development or testing
PREFERRED Use SSL if available, fall back to unencrypted Default - Provides encryption when the server supports it
REQUIRED Require SSL but don’t verify server certificate You want encryption but certificate verification isn’t critical
VERIFY_IDENTITY Require SSL, verify certificate, and check hostname matches Most secure - Recommended for production

For production environments, use VERIFY_IDENTITY when possible to prevent man-in-the-middle attacks.

Read-Only Mode

The read_only parameter enables database-level read-only enforcement for the connection.

How it works: After connection, SET SESSION TRANSACTION READ ONLY is executed automatically.

Effect: MySQL enforces read-only at the session level - any attempt to INSERT, UPDATE, DELETE, TRUNCATE, or perform other write operations will fail with an error.

When to use:

  • Production agent connections - Recommended for all AI agent access to prevent accidental data modification
  • Analytics/reporting connections - Ensure reporting tools cannot modify data
  • Compliance requirements - Meet regulatory requirements for read-only access

Example:

{
  "read_only": true
}

This provides strong database-level protection against data modification.

Note: Default is false for backward compatibility. We recommend setting read_only: true for all new production connections.

Description Field

The description should document your schema to help agents write effective queries.

Example:

Production customer database (MySQL 8.0).

Tables:
- users: user_id (INT, PK), email (VARCHAR), status (ENUM: 'active','suspended')
- subscriptions: subscription_id (INT, PK), user_id (INT, FK), plan_name (VARCHAR), status (VARCHAR)
- billing_events: event_id (INT, PK), subscription_id (INT, FK), event_type (VARCHAR), amount_cents (INT)

Common patterns:
- Find user by email: WHERE email = '<email>'
- Active subscriptions: WHERE status = 'active'

Example Connection 

{
  "display_name": "Production Customer Database",
  "description": "Production customer database...",
  "connection_details": {
    "mysql": {
      "host": "prod-db.example.com",
      "port": 3306,
      "database": "customers",
      "username": "admin",
      "password": "password",
      "ssl_mode": "VERIFY_IDENTITY",
      "read_only": true
    }
  }
}

Query Support

Firetiger supports standard MySQL query syntax including:

  • SELECT statements with all standard clauses (WHERE, JOIN, GROUP BY, ORDER BY, LIMIT, etc.)
  • Common Table Expressions (CTEs) with WITH (MySQL 8.0+)
  • Subqueries and derived tables
  • SQL comments (both -- single-line and /* */ multi-line styles)
  • All MySQL functions (aggregate, string, date/time, JSON, etc.)
  • MySQL-specific syntax such as LIMIT offset, count and backtick-quoted identifiers

Security Model

Firetiger provides multiple layers of security for MySQL connections:

  1. Database-level read-only enforcement - Use read_only: true to prevent writes at the MySQL session level
  2. SSL encryption - Use ssl_mode: "VERIFY_IDENTITY" for secure connections

Recommended approach: Enable read_only: true for all production agent connections. This provides strong database-level protection regardless of the user’s actual permissions.

Best Practices

  • Enable read-only mode - Set read_only: true for all production agent connections
  • Document your schema - Include table/column information in the description field
  • Enable SSL in production - Use ssl_mode: "VERIFY_IDENTITY"
  • Limit data exposure - Only grant access to necessary tables through MySQL permissions
  • Use a dedicated user - Create a MySQL user specifically for Firetiger with minimal required privileges
This site uses Just the Docs, a documentation theme for Jekyll.