True, a valid option for MySQL. Not every database handles LDAP, and Vault gives you dynamically created credentials to your DB, so the accounts are created and deleted AS NEEDED.
Submission title doesn't seem to have anything to do with the content? The post is mostly about semiautomated user account management, from the title I was expecting some kind of postmortem where provisioning a database user caused some kind of disaster.
Or, if you use Google Apps (aka G Suite now), use Google Identity-Aware Proxy [1]
Basically, all it does is adding couple of headers, like user-id, to every single HTTP request.
And as soon as you delete user's account in your Google Apps console -- they will lose access to your corporate services.
Drawbacks are:
1. This require cooperation from the services. E.g. you have Jenkins -- it needs to check those headers. I don't know if Jenkins has a plugin for that yet.
2. The service must run on GCP, so Google can proxy requests to it.
I can't help but notice that the script link to GitHub (seriously?) in the OP topic contains something involving NRPE and NSCLIENT++ - that's part of a bloody monitoring system.
There are APIs, connectors and the good $DEITY knows what in so many languages it isn't funny anymore that you decide to re-purpose a monitoring agent to delete an account? I'm no programmer but even I could whip up a link between MySQL/MariaDB and say AD with PHP, Python or Perl
Actually the more I bother clicking on the links in the GH repo and idly browsing the more I wonder what is going on.
It's like a one-stop shop for most your security needs. They label it as "A Tool for Managing Secrets" which it does, but it does a lot more than that too. One of the things it does (and what applies here) is dynamically create DB accounts AS NEEDED with random usernames and passwords, which auto-expire and are deleted as soon as they are not needed anymore. which is more than strongDM seems to do.
Well that seems like a huge production outage just waiting to happen.