Vaultx.Secrets.Database (Vaultx v0.7.0)

View Source

Unified Database secrets engine interface for HashiCorp Vault.

This module provides a comprehensive, enterprise-grade interface for the Database secrets engine, offering dynamic and static credential management, connection configuration, and role management. It supports all major database types with advanced security features and compliance capabilities.

Enterprise Database Credential Management

  • Dynamic Credential Generation: Database users with configurable TTL and permissions
  • Static Credential Management: Automatic rotation of existing database users
  • Connection Management: Multiple database connections with plugin support
  • Role Management: Dynamic and static role configuration with policy enforcement
  • Root Credential Rotation: Automatic rotation of root database credentials
  • Multi-Database Support: MySQL, PostgreSQL, MongoDB, Oracle, MSSQL, and more
  • Security Compliance: Audit logging, least privilege, and policy validation

Supported Database Types

Relational Databases

  • MySQL/MariaDB: Full support for user management and permissions
  • PostgreSQL: Advanced role management with schema-level permissions
  • Oracle: Enterprise database support with tablespace management
  • Microsoft SQL Server: Windows and SQL authentication support
  • IBM DB2: Enterprise mainframe database support

NoSQL Databases

  • MongoDB: User and role management with database-level permissions
  • Cassandra: Keyspace and table-level access control
  • Elasticsearch: Index and cluster-level permissions
  • InfluxDB: Database and retention policy management
  • Redis: ACL-based user management (Redis 6+)

Cloud Databases

  • Amazon RDS: Multi-engine support with IAM integration
  • Google Cloud SQL: Service account and user management
  • Azure SQL Database: Azure AD integration support
  • MongoDB Atlas: Cloud-native user management

Configuration Examples

# Configure MySQL connection
config = %{
  plugin_name: "mysql-database-plugin",
  connection_url: "{{username}}:{{password}}@tcp(127.0.0.1:3306)/",
  username: "vaultuser",
  password: "secretpassword",
  allowed_roles: ["readonly", "readwrite"]
}
{:ok, _} = Database.configure_connection("mysql", config)

# Create dynamic role
role_config = %{
  db_name: "mysql",
  creation_statements: [
    "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'",
    "GRANT SELECT ON *.* TO '{{name}}'@'%'"
  ],
  default_ttl: 3600,
  max_ttl: 86400
}
{:ok, _} = Database.create_role("readonly", role_config)

# Generate dynamic credentials
{:ok, creds} = Database.generate_credentials("readonly")

# Create static role
static_config = %{
  db_name: "mysql",
  username: "static-database-user",
  rotation_statements: [
    "ALTER USER "{{name}}" IDENTIFIED BY '{{password}}';"
  ],
  rotation_period: 3600
}
{:ok, _} = Database.create_static_role("static-user", static_config)

API Compliance

Fully implements HashiCorp Vault Database secrets engine:

Summary

Functions

configure_connection(name, config, opts \\ [])

Configure a database connection.

create_role(name, config, opts \\ [])

Create or update a dynamic database role.

delete_connection(name, opts \\ [])

Delete a database connection.

delete_role(name, opts \\ [])

Delete a dynamic database role.

generate_credentials(name, opts \\ [])

Generate credentials for a dynamic database role.

list_connections(opts \\ [])

List all configured database connections.

list_roles(opts \\ [])

List all configured dynamic database roles.

read_connection(name, opts \\ [])

Read database connection configuration.

read_role(name, opts \\ [])

Read a dynamic database role configuration.

reload_plugin(plugin_name, opts \\ [])

Reload all connections for a specific plugin.

reset_connection(name, opts \\ [])

Reset a database connection.

rotate_root_credentials(name, opts \\ [])

Rotate root credentials for a database connection.

Functions

configure_connection(name, config, opts \\ [])

Configure a database connection.

Sets up the database connection parameters that Vault will use to communicate with the database and generate credentials. Supports multiple database types through plugin system.

Parameters

  • name - Connection name
  • config - Connection configuration parameters
  • opts - Request options including mount path

Examples

# MySQL connection
config = %{
  plugin_name: "mysql-database-plugin",
  connection_url: "{{username}}:{{password}}@tcp(127.0.0.1:3306)/",
  username: "vaultuser",
  password: "secretpassword",
  allowed_roles: ["readonly"]
}
{:ok, _} = Database.configure_connection("mysql", config)

# PostgreSQL with TLS and advanced configuration
config = %{
  plugin_name: "postgresql-database-plugin",
  connection_url: "postgresql://{{username}}:{{password}}@localhost:5432/postgres?sslmode=require",
  username: "vaultuser",
  password: "secretpassword",
  max_open_connections: 10,
  max_idle_connections: 5,
  max_connection_lifetime: "30s",
  username_template: "v-{{.RoleName}}-{{random 8}}-{{unix_time}}",
  password_authentication: "scram-sha-256",  # For PostgreSQL 10+
  disable_escaping: false
}

# PostgreSQL with multiple hosts for High Availability
ha_config = %{
  plugin_name: "postgresql-database-plugin",
  connection_url: "postgresql://{{username}}:{{password}}@primary:5432,secondary:5432/postgres",
  username: "vaultuser",
  password: "secretpassword",
  allowed_roles: ["readonly", "readwrite"]
}

# PostgreSQL with Google Cloud SQL IAM authentication
gcp_config = %{
  plugin_name: "postgresql-database-plugin",
  connection_url: "host=/cloudsql/project:region:instance user={{username}} password={{password}} dbname=postgres",
  auth_type: "gcp_iam",
  service_account_json: "{"type":"service_account","project_id":"my-project"}",
  use_private_ip: true,
  allowed_roles: ["app-readonly"]
}

create_role(name, config, opts \\ [])

Create or update a dynamic database role.

Configures a role that can be used to generate dynamic database credentials. The role defines the database statements and constraints for credential generation.

Parameters

  • name - Role name
  • config - Role configuration parameters
  • opts - Request options

Examples

# MySQL readonly role
config = %{
  db_name: "mysql",
  creation_statements: [
    "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'",
    "GRANT SELECT ON *.* TO '{{name}}'@'%'"
  ],
  default_ttl: 3600,
  max_ttl: 86400
}
:ok = Database.create_role("readonly", config)

# PostgreSQL role with schema permissions and advanced features
config = %{
  db_name: "postgres",
  creation_statements: [
    "CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
    "GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";",
    "GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO "{{name}}";"
  ],
  revocation_statements: [
    "REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM "{{name}}";",
    "REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public FROM "{{name}}";",
    "DROP ROLE IF EXISTS "{{name}}";"
  ],
  renew_statements: [
    "ALTER ROLE "{{name}}" VALID UNTIL '{{expiration}}';"
  ],
  rollback_statements: [
    "DROP ROLE IF EXISTS "{{name}}";"
  ]
}

delete_connection(name, opts \\ [])

Delete a database connection.

Examples

:ok = Database.delete_connection("old-connection")

delete_role(name, opts \\ [])

Delete a dynamic database role.

Examples

:ok = Database.delete_role("old-role")

generate_credentials(name, opts \\ [])

Generate credentials for a dynamic database role.

Generates dynamic database credentials based on the given role definition.

Parameters

  • name - Role name to generate credentials for
  • opts - Request options

Returns

  • {:ok, credentials} - Successfully generated credentials
  • {:error, error} - Failed to generate credentials

Examples

{:ok, creds} = Database.generate_credentials("readonly")
%{
  username: "root-1430158508-126",
  password: "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
}

list_connections(opts \\ [])

List all configured database connections.

Examples

{:ok, connections} = Database.list_connections()
["mysql", "postgres", "mongodb"]

list_roles(opts \\ [])

List all configured dynamic database roles.

Examples

{:ok, roles} = Database.list_roles()
["readonly", "readwrite", "admin"]

read_connection(name, opts \\ [])

Read database connection configuration.

Examples

{:ok, config} = Database.read_connection("mysql")
%{
  allowed_roles: ["readonly"],
  connection_details: %{
    connection_url: "{{username}}:{{password}}@tcp(127.0.0.1:3306)/",
    username: "vaultuser"
  },
  plugin_name: "mysql-database-plugin"
}

read_role(name, opts \\ [])

Read a dynamic database role configuration.

Examples

{:ok, config} = Database.read_role("readonly")
%{
  creation_statements: [
    "CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
    "GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";"
  ],
  credential_type: "password",
  db_name: "postgres",
  default_ttl: 3600,
  max_ttl: 86400
}

reload_plugin(plugin_name, opts \\ [])

Reload all connections for a specific plugin.

Examples

{:ok, result} = Database.reload_plugin("postgresql-database-plugin")
%{connections: ["pg1", "pg2"], count: 2}

reset_connection(name, opts \\ [])

Reset a database connection.

Closes the connection and restarts it with stored configuration.

Examples

:ok = Database.reset_connection("mysql")

rotate_root_credentials(name, opts \\ [])

Rotate root credentials for a database connection.

Examples

:ok = Database.rotate_root_credentials("mysql")