Issue
Vault is failing to revoke a dynamic MySQL user lease, resulting in the error message. This problem appears to occur when dynamically generated Vault database credentials create objects such as procedures, triggers, or views, and then the vault tries to cancel (drop) those accounts later.
Problem
The revocation failure is caused by a restriction on the MySQL side. When Vault attempts to remove the dynamic database user as part of the lease revocation process, MySQL returns Error 4006 (HY000) because the user is currently referenced as a DEFINER for a database object, such as an event, trigger, view, or stored procedure.
The relevant part of the error message from MySQL is:
Error 4006 (HY000): Operation DROP USER failed for 'v-rds--l7FmkV6DV'@'x.x.123.456%' as it is referenced as a definer account in an event."
failed to revoke lease: lease\_id=database/creds/rds-xxx-mysql-01a-user-ddl/EUELe3Vb8DcIoe7Ja.wU123 error="failed to revoke entry: resp: (\*logical.Response)(nil) err: Error 4006 (HY000): Operation DROP USER failed for 'v-rds--l7FmkV6DV'@'10.105.123.456%' as it is referenced as a definer account in an event." attempts=2 next\_attempt=50.737212277s
Solution
The required step to resolve this issue is to change the DEFINER for the affected MySQL objects.
- Identify the Affected Objects: The Database Administrator (DBA) needs to identify all database objects (events, triggers, views, or stored procedures) that are currently referencing the dynamic Vault user (v-rds--l7FmkV6DV in this example) as their DEFINER.
- Change the DEFINER: The DBA must modify these objects to use a different, appropriate definer user that is not the dynamic user created by Vault.
MySQL will not allow the user to be dropped as long as it is referenced as a definer. Therefore, Vault cannot successfully revoke the lease until these references are removed or updated. There is no Vault-side setting or workaround available to bypass this restriction, as it is a behavior enforced at the MySQL engine layer.