Vaultx.Secrets.RabbitMQ (Vaultx v0.7.0)

View Source

Unified RabbitMQ secrets engine interface for HashiCorp Vault.

This module provides a comprehensive, enterprise-grade interface for the RabbitMQ secrets engine, offering dynamic credential management, connection configuration, and role management. It supports all RabbitMQ authentication and authorization features with advanced security capabilities.

Enterprise RabbitMQ Credential Management

  • Dynamic Credential Generation: RabbitMQ users with configurable permissions
  • Connection Management: RabbitMQ server connection configuration
  • Role Management: Dynamic role configuration with permission enforcement
  • Lease Management: Configurable TTL and maximum TTL for credentials
  • Security Compliance: Audit logging, least privilege, and policy validation

Supported RabbitMQ Features

User Management

  • Dynamic Users: Temporary users with specific permissions
  • Virtual Host Access: Fine-grained vhost permission control
  • Topic Permissions: Exchange-level topic permission management (RabbitMQ 3.7+)
  • Management Tags: Administrative privilege assignment

Permission Types

  • Configure: Queue and exchange configuration permissions
  • Write: Message publishing permissions
  • Read: Message consumption permissions
  • Topic: Topic-based routing permissions

Configuration Examples

# Configure RabbitMQ connection
config = %{
  connection_uri: "http://localhost:15672",
  username: "admin",
  password: "admin123",
  verify_connection: true
}
{:ok, _} = RabbitMQ.configure_connection(config)

# Configure lease settings
lease_config = %{
  ttl: 1800,
  max_ttl: 3600
}
{:ok, _} = RabbitMQ.configure_lease(lease_config)

# Create a role with vhost permissions
role_config = %{
  tags: "management",
  vhosts: "{"/": {"configure":".*", "write":".*", "read": ".*"}}",
  vhost_topics: "{"/": {"amq.topic": {"write":".*", "read": ".*"}}}"
}
{:ok, _} = RabbitMQ.create_role("web-service", role_config)

# Generate credentials
{:ok, creds} = RabbitMQ.generate_credentials("web-service")

API Compliance

Fully implements HashiCorp Vault RabbitMQ secrets engine:

Summary

Functions

configure_connection(config, opts \\ [])

Configure connection information for RabbitMQ.

configure_lease(config, opts \\ [])

Configure lease settings for generated credentials.

create_role(name, config, opts \\ [])

Create or update a RabbitMQ role.

delete_role(name, opts \\ [])

Delete a RabbitMQ role.

generate_credentials(name, opts \\ [])

Generate credentials for a RabbitMQ role.

read_role(name, opts \\ [])

Read a RabbitMQ role configuration.

Functions

configure_connection(config, opts \\ [])

Configure connection information for RabbitMQ.

Sets up the RabbitMQ connection parameters that Vault will use to communicate with RabbitMQ and generate credentials. Supports both HTTP and HTTPS connections with optional connection verification.

Parameters

  • config - Connection configuration parameters
  • opts - Request options including mount path

Examples

# Basic HTTP configuration
config = %{
  connection_uri: "http://localhost:15672",
  username: "admin",
  password: "admin123"
}
{:ok, _} = RabbitMQ.configure_connection(config)

# HTTPS with custom password policy
config = %{
  connection_uri: "https://rabbitmq.example.com:15671",
  username: "vault-admin",
  password: "secure-password",
  verify_connection: true,
  password_policy: "rabbitmq_policy",
  username_template: "vault-{{.DisplayName}}-{{random 8}}"
}

configure_lease(config, opts \\ [])

Configure lease settings for generated credentials.

Sets the default TTL and maximum TTL for dynamically generated RabbitMQ credentials.

Parameters

  • config - Lease configuration parameters
  • opts - Request options

Examples

config = %{
  ttl: 1800,
  max_ttl: 3600
}
{:ok, _} = RabbitMQ.configure_lease(config)

create_role(name, config, opts \\ [])

Create or update a RabbitMQ role.

Configures a role that can be used to generate RabbitMQ credentials. The role defines the permissions, virtual hosts, and tags that will be assigned to generated users.

Parameters

  • name - Role name
  • config - Role configuration
  • opts - Request options

Examples

# Basic role with management tags
config = %{
  tags: "management",
  vhosts: "{"/": {"configure":".*", "write":".*", "read": ".*"}}"
}
{:ok, _} = RabbitMQ.create_role("web-service", config)

# Role with topic permissions (RabbitMQ 3.7+)
config = %{
  tags: "monitoring",
  vhosts: "{"/": {"configure":"", "write":"", "read": ".*"}}",
  vhost_topics: "{"/": {"amq.topic": {"write":"", "read": ".*"}}}"
}
{:ok, _} = RabbitMQ.create_role("monitoring-role", config)

delete_role(name, opts \\ [])

Delete a RabbitMQ role.

Examples

:ok = RabbitMQ.delete_role("old-role")

generate_credentials(name, opts \\ [])

Generate credentials for a RabbitMQ role.

Generates dynamic RabbitMQ credentials based on the given role definition. The credentials will have the permissions, virtual hosts, and tags configured in the role.

Parameters

  • name - Role name to generate credentials for
  • opts - Request options

Returns

  • {:ok, credentials} - Successfully generated credentials
  • {:error, error} - Failed to generate credentials

Examples

{:ok, creds} = RabbitMQ.generate_credentials("web-service")
%{
  username: "root-4b95bf47-281d-dcb5-8a60-9594f8056092",
  password: "e1b6c159-ca63-4c6a-3886-6639eae06c30"
}

read_role(name, opts \\ [])

Read a RabbitMQ role configuration.

Examples

{:ok, config} = RabbitMQ.read_role("web-service")
%{
  tags: "management",
  vhosts: "{"/": {"configure":".*", "write":".*", "read": ".*"}}",
  vhost_topics: "{"/": {"amq.topic": {"write":".*", "read": ".*"}}}"
}