Demo Database Secrets Engine

In this tutorial, you'll learn how to set up HashiCorp Vault’s Database Secrets Engine to generate dynamic MySQL credentials for an AWS RDS instance. Dynamic secrets improve security by issuing short-lived, on-demand database users.

1. Enable the Database Secrets Engine

Enable the Database Secrets Engine at the path mysql:

vault secrets enable -path=mysql database

You should see:

Success! Enabled the database secrets engine at: mysql/

Verify the mount:

vault secrets list

Expected output:

Path       Type      Accessor        Description
----------- --------- --------------- -----------------------------
aws/       aws       aws_698889cf     n/a
cubbyhole/ cubbyhole cubbyhole_...   per-token private secret storage
identity/  identity  identity_...     identity store
mysql/     database  database_...     n/a
sys/       system    system_...       system endpoints used for control, policy and debugging

Note

If you choose a custom mount path, update all subsequent commands (mysql/ → <your-path>/).

2. Configure the MySQL Database Connection

Tell Vault how to connect to your RDS MySQL instance by specifying:

plugin_name: Database plugin (e.g., mysql-rds-database-plugin)
connection_url: Go template with {{username}} and {{password}}
allowed_roles: Roles permitted to use this connection
username/password: Vault credentials with admin privileges

Vault supports multiple MySQL plugins. For AWS RDS use mysql-rds-database-plugin.

The image shows a webpage from the Vault documentation, specifically about the MySQL/MariaDB Database Secrets Engine. It includes information on capabilities, setup, and available plugins for managing database credentials.

Assuming your RDS endpoint is database-1.cf5jhixkss7a.us-east-1.rds.amazonaws.com:3306, configure Vault:

vault write mysql/config/mysql-database \
  plugin_name="mysql-rds-database-plugin" \
  connection_url="{{username}}:{{password}}@tcp(database-1.cf5jhixkss7a.us-east-1.rds.amazonaws.com:3306)/" \
  allowed_roles="advanced" \
  username="admin" \
  password="vaultadvanced"

Vault will immediately validate this connection.

Verify RDS Endpoint in AWS Console

In the AWS RDS console, confirm your instance endpoint (and port 3306):

The image shows an Amazon RDS console displaying details of a database instance named "database-1," including its connectivity, security settings, and endpoint information.

The master username (admin) and other configuration details are under Configuration:

The image shows an Amazon RDS console displaying configuration details for a database instance, including instance class, storage, and availability settings.

3. Create a Role for Dynamic Credentials

Define a Vault role called advanced. This role tells Vault how to provision database users:

vault write mysql/roles/advanced \
  db_name="mysql-database" \
  creation_statements="
    CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
    GRANT SELECT ON *.* TO '{{name}}'@'%';
  " \
  default_ttl="1h" \
  max_ttl="24h"

Parameter	Description
db_name	Must match the connection name (`mysql-database`)
creation_statements	SQL commands Vault runs to provision a dynamic user
default_ttl / max_ttl	Lease durations for the generated credentials

Note

Adjust the SQL in creation_statements to grant required permissions (e.g., INSERT, UPDATE, etc.).

Inspect the role:

vault read mysql/roles/advanced

Expected output:

Key                   Value
---                   -----
creation_statements   [CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';]
db_name               mysql-database
default_ttl           1h
max_ttl               24h
renew_statements      []
revoke_statements     []
rollback_statements   []

View the database connection configuration:

vault read mysql/config/mysql-database

Vault hides admin credentials:

Key                        Value
---                        -----
allowed_roles              [advanced]
connection_details         database-1.cf5jhixkss7a.us-east-1.rds.amazonaws.com:3306/ username:admin
plugin_name                mysql-rds-database-plugin
root_credentials_rotate_statements []

4. Rotate the Root Credentials (Optional)

To rotate the stored admin credentials for mysql-database:

vault write -force mysql/rotate-root/mysql-database

Vault will contact RDS and update the admin password in Vault.

5. Generate Dynamic Credentials

Request credentials for the advanced role:

vault read mysql/creds/advanced

Example response:

Key              Value
---              -----
lease_id         mysql/creds/advanced/FTkH1Q2Gfr7h4gTGOYxjPyPZ
lease_duration   1h
lease_renewable  true
username         v_root.adva_mO16
password         iYrDsp3r3LsmK3EcRBar

Every call issues a unique user/password pair with its own lease.

6. Revoke Leases

Revoke a specific lease:

vault lease revoke mysql/creds/advanced/aQqKo3VHQyCdfmj5hmqI2Red

Or revoke all leases under the advanced prefix:

vault lease revoke -prefix mysql/creds/advanced

Revoked credentials immediately lose access to the database.

Summary

Enabled Vault’s Database Secrets Engine at mysql/.
Configured a connection to an AWS RDS MySQL instance.
Created a Vault role (advanced) to provision dynamic users.
Optionally rotated the stored admin credentials.
Generated and revoked short-lived MySQL credentials.

Vault’s Database Secrets Engine ensures on-demand, rolling credentials for stronger security.