Vaultx.Secrets.Database.StaticRoles (Vaultx v0.7.0)

View Source

Static role management operations for Database secrets engine.

This module contains all static role related operations that are mixed into the main Database module. Static roles provide automatic credential rotation for existing database users.

Static Role Features

  • Automatic password rotation based on schedules or periods
  • Support for existing database users
  • Configurable rotation statements
  • Manual rotation triggers
  • Multiple credential types (password, RSA keys, client certificates)

Summary

Functions

create_static_role(name, config, opts \\ [])

Create or update a static database role.

delete_static_role(name, opts \\ [])

Delete a static database role.

get_static_credentials(name, opts \\ [])

Get current credentials for a static database role.

list_static_roles(opts \\ [])

List all configured static database roles.

read_static_role(name, opts \\ [])

Read a static database role configuration.

rotate_static_role_credentials(name, opts \\ [])

Manually rotate credentials for a static database role.

Functions

create_static_role(name, config, opts \\ [])

Create or update a static database role.

Configures a static role that maps to an existing database user. Static roles are automatically rotated based on configured schedules.

Parameters

  • name - Static role name
  • config - Static role configuration parameters
  • opts - Request options

Examples

# Static role with rotation period
config = %{
  db_name: "mysql",
  username: "static-database-user",
  rotation_statements: [
    "ALTER USER "{{name}}" IDENTIFIED BY '{{password}}';"
  ],
  rotation_period: 3600
}
:ok = Database.create_static_role("static-user", config)

# Static role with rotation schedule
config = %{
  db_name: "mysql",
  username: "static-database-user",
  rotation_statements: [
    "ALTER USER "{{name}}" IDENTIFIED BY '{{password}}';"
  ],
  rotation_schedule: "0 0 * * SAT",
  rotation_window: 3600
}

delete_static_role(name, opts \\ [])

Delete a static database role.

Examples

:ok = Database.delete_static_role("old-static-role")

get_static_credentials(name, opts \\ [])

Get current credentials for a static database role.

Examples

{:ok, creds} = Database.get_static_credentials("static-user")
%{
  username: "static-user",
  password: "132ae3ef-5a64-7499-351e-bfe59f3a2a21",
  last_vault_rotation: "2019-05-06T15:26:42.525302-05:00",
  rotation_period: 30,
  ttl: 28
}

list_static_roles(opts \\ [])

List all configured static database roles.

Examples

{:ok, roles} = Database.list_static_roles()
["static-user1", "static-user2", "admin-static"]

read_static_role(name, opts \\ [])

Read a static database role configuration.

Examples

{:ok, config} = Database.read_static_role("static-user")
%{
  credential_type: "password",
  db_name: "mysql",
  username: "static-user",
  rotation_statements: [
    "ALTER USER "{{name}}" IDENTIFIED BY '{{password}}';"
  ],
  rotation_period: 3600,
  skip_import_rotation: false
}

rotate_static_role_credentials(name, opts \\ [])

Manually rotate credentials for a static database role.

Examples

:ok = Database.rotate_static_role_credentials("static-user")