Dynamic DB credentials with Hashicorp Vault

Vault loves Postgres
version: '3.9'
services:
vault:
image: vault:1.7.0
container_name: vault
ports:
- "8200:8200"
environment:
VAULT_ADDR: http://127.0.0.1:8200
VAULT_DEV_ROOT_TOKEN_ID: roottoken
VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200
VAULT_SKIP_VERIFY: "true"
cap_add:
- IPC_LOCK
postgres:
image: postgres:12-alpine
environment:
POSTGRES_USER: exampledb
POSTGRES_PASSWORD: exampledb
POSTGRES_DB: exampledb
docker-compose up -d
docker exec -it vault sh
export VAULT_TOKEN=roottoken
vault secrets enable database
vault write database/config/exampledb-pg \
plugin_name=postgresql-database-plugin \
allowed_roles="exampledb-pg" \
connection_url="postgresql://{{username}}:{{password}}@postgres:5432/exampledb?sslmode=disable" \
username=exampledb \
password=exampledb
cat <<EOF > vault-postgres-creation.sql
CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO "{{name}}";
GRANT USAGE, SELECT, UPDATE ON ALL SEQUENCES IN SCHEMA public to "{{name}}";
EOF
vault write database/roles/exampledb-pg \
db_name=exampledb-pg \
creation_statements=@vault-postgres-creation.sql \
default_ttl="5m" \
max_ttl="24h"
vault read database/creds/exampledb-pg
Key                Value
--- -----
lease_id database/creds/exampledb-pg/wahjU6o4dDmkLzoPFwTTSMdk
lease_duration 5m
lease_renewable true
password I98JvcCYVf-xlLEgE4A5
username v-token-exampledb-p-pAWtSOmYYCqpEnP3XARY-1616423557

--

--

--

Anders is a Finnish IT company, whose mission is sustainable software development with the greatest colleagues of all time.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Publish Me! Exploring AMP, Medium, and Apple News.

How to save $40,000 per year on employees’ working hours by integrating CS TimeClock access…

Code releases stressing you out? Here’s a clever technique I use to take the edge off of releases

Docker container vs Docker image.

How we replaced DarkSky with Visual Crossing

Web Scraping Introduction

My experience with the Pomodoro technique

Let’s learn about REST Services

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Anders Innovations

Anders Innovations

Anders is a Finnish IT company, whose mission is sustainable software development with the greatest colleagues of all time.

More from Medium

Running GitHub Actions locally using nektos/act

Cloud Native File Integrity Monitoring

Infrastructure Diagram

Provisioning stateful apps in Kubernetes

GKE Ingress SSL with Google Managed Certificates