Dynamic secrets for database credential management
You should have a credential management strategy to protect critical data. Often, organizations have a policy to periodically rotate credentials. Also, you want to assign a different set of permissions granted for each user, system, or application that accesses data following the principle of least privilege.
Vault's database secrets engine provides a credential management solution so that the username and password can be dynamically generated upon request, and you can control the lifecycle of the credentials.
In this set of tutorials, you will follow the HashiCups organization as they configure Vault to provide dynamic credentials using the database secrets engine.
This collection is designed to help you learn about Vault's dynamic secrets capabilities and apply various concepts to your environment. If you are already familiar with how to configure and request dynamic credentials, use the left navigation menu to go to any of the other tutorials to learn more about specific features.
HashiCups requires each app to use unique credentials so that they are not shared between services. By making the credentials short-lived, you reduce the chance that they might be compromised. If an app becomes compromised, the credentials used by the app can be revoked rather than changing more global sets of credentials across multiple services. You can also automate continuous credential rotation to minimize risk.
In this tutorial, you are going to configure the database secrets engine, and create a read-only database role. The Vault-generated PostgreSQL credentials will only have read permission.
The end-to-end scenario described in this tutorial involves two personas:
- Operations: Oliver from the operations team with privileged permissions configures Vault and the database secrets engine.
- Developer: Danielle with the development tests the credentials to ensure apps can read secrets from Vault and access the PostgreSQL database.
This lab was tested on macOS using an x86_64 based and Apple silicon-based processors. You may also run this tutorial by clicking the Start interactive lab button.
Launch Terminal
This tutorial includes a free interactive command-line lab that lets you follow along on actual cloud infrastructure.
To perform the tasks described in this tutorial, you need to have:
- HCP or Vault Community Edition environment
- Docker to run a PostgreSQL container
- jq
- ngrok installed and configured with an auth token (HCP Vault Dedicated only)
Policy requirements
For the purpose of this tutorial, you can use your root
token to work with
Vault. However, it is recommended that root tokens are only used for just enough
initial setup or in emergencies. As a best practice, use tokens with an appropriate
set of policies based on your role in the organization.
To perform all tasks demonstrated in this tutorial, you would require two policies. The first is a policy for the operations team to configure the database secrets engine, and the second is for apps or developers to request credentials from the database secrets engine.
Vault admin policy
This policy allows you to configure the database secrets engine.
# Mount the database secret engine
path "sys/mounts/database" {
capabilities = [ "create", "update", "delete" ]
# Configure the database secrets engine and create roles
path "database/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
Database read-only policy
This policy allows you to read credentials from the database secrets engine.
# Read creds from the database secrets engine readonly role
path "database/creds/readonly" {
capabilities = [ "read" ]
If you are not familiar with policies, complete the policies tutorial.
Set up the lab
Start PostgreSQL
The tutorial requires a PostgreSQL database. Docker provides a PostgreSQL server image that satisfies this requirement.
Pull a PostgreSQL Docker image.
$ docker pull postgres:latest
Create a PostgreSQL database with a root user named
with the passwordrootpassword
.$ docker run \ --detach \ --name learn-postgres \ -e POSTGRES_USER=root \ -e POSTGRES_PASSWORD=rootpassword \ -p 5432:5432 \ --rm \ postgres
Verify that the PostgreSQL container is running.
$ docker ps -f name=learn-postgres --format "table {{.Names}}\t{{.Status}}" NAMES STATUS learn-postgres Up 5 seconds
The credentials generated by the Vault role require a role named
that has been granted the ability to read all tables.Create a role named
which can read all tables.$ docker exec -i \ learn-postgres \ psql -U root -c "CREATE ROLE \"ro\" NOINHERIT;"
Grant the ability to read all tables to the role named
.$ docker exec -i \ learn-postgres \ psql -U root -c "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"ro\";"
The database is available and the role is created with the appropriate permissions.
Start Vault
In another terminal, start a Vault dev server with
as the root token.$ vault server -dev -dev-root-token-id root
The Vault dev server defaults to running at
. The server is initialized and unsealed.Insecure operation
Do not run a Vault dev server in production. This approach starts a Vault server with an in-memory database and runs in an insecure way.
Export an environment variable for the
CLI to address the Vault server.$ export VAULT_ADDR=
Export an environment variable for the
CLI to authenticate with the Vault server.$ export VAULT_TOKEN=root
For these tasks, you can use Vault's root token. However, it is recommended that root tokens are only used for enough initial setup or in emergencies. As a best practice, use an authentication method or token that meets the policy requirements.
Set an environment variable for the PostgreSQL address.
$ export POSTGRES_URL=
The Vault server is ready to proceed with the lab.
Configure the database secrets engine
(Persona: Operations)
The database secrets engine generates database credentials dynamically based on configured roles.
The database secrets engine supports many databases through a plugin interface.
To use a PostgreSQL database with the secrets engine requires further
configuration with the postgresql-database-plugin
plugin and connection
Enable the database secrets engine at the
path.$ vault secrets enable database
Configure the database secrets engine with the connection credentials for the PostgreSQL database.
$ vault write database/config/postgres \ plugin_name=postgresql-database-plugin \ connection_url="postgresql://{{username}}:{{password}}@$POSTGRES_URL/postgres?sslmode=disable" \ allowed_roles=readonly \ username="root" \ password="rootpassword"
The secrets engine is enabled and configured to work with PostgreSQL.
Users of Vault version 1.11.0 and beyond can specify multiple comma-separated
postgres server URLs in the value of connection_url
, and Vault will retry
communication with each server in the list until it can connect to one that is
actively handling requests.
Read the Database Root Credential Rotation tutorial to learn about rotating the root credential immediately after the initial configuration of each database.
Create a role
(Persona: Operations)
In the configure database secrets engine
section, you configured the database
secrets engine with the allowed role named readonly
. A Vault role is a
logical name within Vault that maps to database credentials. These credentials
have capabilities defined by SQL statements assigned to the Vault role.
When you define the role in a production deployment, you must create user creation_statements, revocation_statements, renew_statements, and rotation_statements, which are valid for the database you've configured. If you do not specify statements appropriate to creating, revoking, or rotating users, Vault inserts generic statements which can be unsuitable for your deployment.
Define the SQL used to create credentials.
$ tee readonly.sql <<EOF CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}' INHERIT; GRANT ro TO "{{name}}"; EOF
The SQL contains the templatized fields
, and{{expiration}}
. These values are provided by Vault when the credentials are created. This creates a new role and then grants that role the permissions defined in the PostgreSQL role namedro
. This PostgreSQL role was created when PostgreSQL was started.Create the role named
that creates credentials with thereadonly.sql
.$ vault write database/roles/readonly \ db_name=postgres \ creation_statements=@readonly.sql \ default_ttl=1h \ max_ttl=24h
The role generates database credentials with a default TTL of 1 hour and max TTL of 24 hours.
Request dynamic credentials
(Persona: Developer)
The applications that require the database credentials read them from the secret engine's readonly role.
Read credentials from the
database role.$ vault read database/creds/readonly Key Value --- ----- lease_id database/creds/readonly/fyF5xDomnKeCHNZNQgStwBKD lease_duration 1h lease_renewable true password A1a-ckirtymYaXACpIHn username v-token-readonly-6iRIcGv8tLpu816oblPY-1556567086
Connect to the PostgreSQL database and list all database users.
$ docker exec -i \ learn-postgres \ psql -U root -c "SELECT username, valuntil FROM pg_user;"
Example output:
username | valuntil --------------------------------------------------+------------------------ root | v-token-readonly-ExP3fop3xpzCoZkzdiT7-1635943853 | 2021-11-04 12:50:58+00 (2 rows)
The output displays a table of all the database credentials generated. The credentials that were generated appear in this list.
Clean up
Unset the
Stop the PostgreSQL container.
$ docker stop $(docker ps -f name=learn-postgres -q)
to stop the server process in the terminal window where you started the server, or use this command to kill the server process from any local terminal session:$ pgrep -f vault | xargs kill
In this tutorial, you followed the HashiCups operations team as they enabled the database secrets engine, and configured the PostgreSQL plugin.
The development team then requested credentials from the readonly
role. Vault
created the credentials dynamically and provided the username and password to
access the PostgreSQL database.
Help and reference
There are tools available to help integrate your applications with Vault's database secrets engine. Using those tools, the existing applications may require minimum to no code change to work with Vault.
For more information on the database secrets engine, refer to the Vault documentation.