Dynamic DB credentials with Hashicorp Vault

Vault loves Postgres
version: '3.9'
services:
vault:
image: vault:1.7.0
container_name: vault
ports:
- "8200:8200"
environment:
VAULT_ADDR: http://127.0.0.1:8200
VAULT_DEV_ROOT_TOKEN_ID: roottoken
VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200
VAULT_SKIP_VERIFY: "true"
cap_add:
- IPC_LOCK
postgres:
image: postgres:12-alpine
environment:
POSTGRES_USER: exampledb
POSTGRES_PASSWORD: exampledb
POSTGRES_DB: exampledb
docker-compose up -d
docker exec -it vault sh
export VAULT_TOKEN=roottoken
vault secrets enable database
vault write database/config/exampledb-pg \
plugin_name=postgresql-database-plugin \
allowed_roles="exampledb-pg" \
connection_url="postgresql://{{username}}:{{password}}@postgres:5432/exampledb?sslmode=disable" \
username=exampledb \
password=exampledb
cat <<EOF > vault-postgres-creation.sql
CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO "{{name}}";
GRANT USAGE, SELECT, UPDATE ON ALL SEQUENCES IN SCHEMA public to "{{name}}";
EOF
vault write database/roles/exampledb-pg \
db_name=exampledb-pg \
creation_statements=@vault-postgres-creation.sql \
default_ttl="5m" \
max_ttl="24h"
vault read database/creds/exampledb-pg
Key                Value
--- -----
lease_id database/creds/exampledb-pg/wahjU6o4dDmkLzoPFwTTSMdk
lease_duration 5m
lease_renewable true
password I98JvcCYVf-xlLEgE4A5
username v-token-exampledb-p-pAWtSOmYYCqpEnP3XARY-1616423557

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store