HashiCorp Certified: Vault Associate Certification
Compare and Configure Secrets Engines
Demo Database Secrets Engine
In this tutorial, you'll learn how to set up HashiCorp Vault’s Database Secrets Engine to generate dynamic MySQL credentials for an AWS RDS instance. Dynamic secrets improve security by issuing short-lived, on-demand database users.
1. Enable the Database Secrets Engine
Enable the Database Secrets Engine at the path mysql
:
vault secrets enable -path=mysql database
You should see:
Success! Enabled the database secrets engine at: mysql/
Verify the mount:
vault secrets list
Expected output:
Path Type Accessor Description
----------- --------- --------------- -----------------------------
aws/ aws aws_698889cf n/a
cubbyhole/ cubbyhole cubbyhole_... per-token private secret storage
identity/ identity identity_... identity store
mysql/ database database_... n/a
sys/ system system_... system endpoints used for control, policy and debugging
Note
If you choose a custom mount path, update all subsequent commands (mysql/
→ <your-path>/
).
2. Configure the MySQL Database Connection
Tell Vault how to connect to your RDS MySQL instance by specifying:
- plugin_name: Database plugin (e.g.,
mysql-rds-database-plugin
) - connection_url: Go template with
{{username}}
and{{password}}
- allowed_roles: Roles permitted to use this connection
- username/password: Vault credentials with admin privileges
Vault supports multiple MySQL plugins. For AWS RDS use mysql-rds-database-plugin
.
Assuming your RDS endpoint is database-1.cf5jhixkss7a.us-east-1.rds.amazonaws.com:3306
, configure Vault:
vault write mysql/config/mysql-database \
plugin_name="mysql-rds-database-plugin" \
connection_url="{{username}}:{{password}}@tcp(database-1.cf5jhixkss7a.us-east-1.rds.amazonaws.com:3306)/" \
allowed_roles="advanced" \
username="admin" \
password="vaultadvanced"
Vault will immediately validate this connection.
Verify RDS Endpoint in AWS Console
In the AWS RDS console, confirm your instance endpoint (and port 3306):
The master username (admin
) and other configuration details are under Configuration:
3. Create a Role for Dynamic Credentials
Define a Vault role called advanced
. This role tells Vault how to provision database users:
vault write mysql/roles/advanced \
db_name="mysql-database" \
creation_statements="
CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
GRANT SELECT ON *.* TO '{{name}}'@'%';
" \
default_ttl="1h" \
max_ttl="24h"
Parameter | Description |
---|---|
db_name | Must match the connection name (mysql-database ) |
creation_statements | SQL commands Vault runs to provision a dynamic user |
default_ttl / max_ttl | Lease durations for the generated credentials |
Note
Adjust the SQL in creation_statements
to grant required permissions (e.g., INSERT
, UPDATE
, etc.).
Inspect the role:
vault read mysql/roles/advanced
Expected output:
Key Value
--- -----
creation_statements [CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';]
db_name mysql-database
default_ttl 1h
max_ttl 24h
renew_statements []
revoke_statements []
rollback_statements []
View the database connection configuration:
vault read mysql/config/mysql-database
Vault hides admin credentials:
Key Value
--- -----
allowed_roles [advanced]
connection_details database-1.cf5jhixkss7a.us-east-1.rds.amazonaws.com:3306/ username:admin
plugin_name mysql-rds-database-plugin
root_credentials_rotate_statements []
4. Rotate the Root Credentials (Optional)
To rotate the stored admin credentials for mysql-database
:
vault write -force mysql/rotate-root/mysql-database
Vault will contact RDS and update the admin
password in Vault.
5. Generate Dynamic Credentials
Request credentials for the advanced
role:
vault read mysql/creds/advanced
Example response:
Key Value
--- -----
lease_id mysql/creds/advanced/FTkH1Q2Gfr7h4gTGOYxjPyPZ
lease_duration 1h
lease_renewable true
username v_root.adva_mO16
password iYrDsp3r3LsmK3EcRBar
Every call issues a unique user/password pair with its own lease.
6. Revoke Leases
Revoke a specific lease:
vault lease revoke mysql/creds/advanced/aQqKo3VHQyCdfmj5hmqI2Red
Or revoke all leases under the advanced
prefix:
vault lease revoke -prefix mysql/creds/advanced
Revoked credentials immediately lose access to the database.
Summary
- Enabled Vault’s Database Secrets Engine at
mysql/
. - Configured a connection to an AWS RDS MySQL instance.
- Created a Vault role (
advanced
) to provision dynamic users. - Optionally rotated the stored admin credentials.
- Generated and revoked short-lived MySQL credentials.
Vault’s Database Secrets Engine ensures on-demand, rolling credentials for stronger security.
Links and References
Watch Video
Watch video content
Practice Lab
Practice lab