Issue
Root credential rotation in the MySQL Database Secrets Engine fails with the following error:
failed to update user: failed to change password: Error 1396: Operation ALTER USER failed for 'vaultroot'@'%’As a result, the root credential rotation does not complete successfully.
Resolution
1. Use the correct MySQL rotation statement:
Update the rotation statements to use MySQL-compatible syntax:
"rotation_statements": [
"ALTER USER \"{{name}}\" IDENTIFIED BY '{{password}}';"
]2. Ensure the MySQL user exists with the correct host
The MySQL user must exist with the same host value that Vault targets (typically %).
If Vault is rotating user@'%', create or update the user accordingly:
Create the user with host %:
CREATE USER 'user'@'%' IDENTIFIED BY 'initial-password';Alternatively, modify the existing user:
ALTER USER 'user'@'localhost' IDENTIFIED BY 'new-password';
Root Cause
Either or both of the two underlying issues can contribute to the failure:
1. Incorrect SQL Syntax Used in Rotation Statements
Some rotation statements mistakenly use syntax from PostgreSQL or other database engines, such as:
ALTER USER "user" WITH PASSWORD 'password';MySQL does not support WITH PASSWORD.
The correct MySQL syntax is:
ALTER USER "user" IDENTIFIED BY 'password';2. MySQL User Host Mismatch
MySQL users are defined with both a username and a host component, for example:
user@localhostuser@%
Vault performs rotations using user@%.
If the MySQL account only exists as user@localhost (or any other host), MySQL rejects the rotation request with Error 1396, indicating a host mismatch.