Skip to main content
In this guide, you’ll learn how to enable and configure HashiCorp Vault’s Database Secrets Engine to manage dynamic credentials for a PostgreSQL database running in AWS RDS. We’ll cover:
  1. Verifying enabled secrets engines
  2. Enabling the Database Secrets Engine
  3. Configuring the database connection
  4. Creating a dynamic role
  5. Rotating root credentials
  6. Generating dynamic credentials
  7. Revoking leases and cleanup

Prerequisites

  • A running Vault server (vault status returns OK)
  • Network connectivity from Vault to your RDS instance (security group, firewall)
  • AWS RDS PostgreSQL endpoint, admin username, and password

1. Verify Enabled Secrets Engines

Start by listing all secrets engines currently enabled: 
vault secrets list
Expected output: 
Path         Type        Accessor           Description
----         ----        --------           -----------
aws/         aws         aws_9de29d31       n/a
cubbyhole/   cubbyhole   cubbyhole_772dff42 per-token private secret storage
identity/    identity    identity_8efc4dd9  identity store
sys/         system      system_5d807a2a    system endpoints used for control, policy and debugging
The database/ engine should not appear yet.

2. Enable the Database Secrets Engine

Enable the database engine at its default mount path: 
vault secrets enable database
You should see: 
Success! Enabled the database secrets engine at: database/
Verify it’s listed: 
vault secrets list

Path         Type        Accessor          Description
----         ----        --------          -----------
aws/         aws         aws_9de29d31      n/a
cubbyhole/   cubbyhole   cubbyhole_772dff42 per-token private secret storage
database/    database    database_123abc   n/a
identity/    identity    identity_8efc4dd9 identity store
sys/         system      system_5d807a2a   system endpoints used for control, policy and debugging

3. Configure the Database Connection

Create a Vault “database configuration” named hcvop-db that points to your AWS RDS PostgreSQL instance: 
vault write database/config/hcvop-db \
    plugin_name=postgresql-database-plugin \
    allowed_roles="hcvop-demo-role" \
    connection_url="postgresql://{{username}}:{{password}}@postgres01.cxojwmhweukf.us-east-1.rds.amazonaws.com:5432/" \
    username="postgres" \
    password="vaultdemo123"
ParameterDescriptionExample
plugin_nameThe database plugin to usepostgresql-database-plugin
allowed_rolesRoles permitted to generate credentials via this connectionhcvop-demo-role
connection_urlTemplate URL with placeholders for the admin credentialspostgresql://{{username}}:{{password}}@your-rds-host:5432/
username/passwordAdmin credentials Vault will use to manage the database (rotations, user creation, etc.)postgres / vaultdemo123
Success message: 
Success! Data written to: database/config/hcvop-db
To inspect the saved configuration: 
vault read database/config/hcvop-db

Key                       Value
---                       -----
allowed_roles             [hcvop-demo-role]
connection_url            postgresql://{{username}}:{{password}}@postgres01.cxojwmhweukf.us-east-1.rds.amazonaws.com:5432/
plugin_name               postgresql-database-plugin
password_policy           n/a
root_credentials_rotate_statements []
Vault does not show the stored username and password for security reasons.

4. Create a Dynamic Role

A Vault “role” defines how dynamic users are created and what permissions they have: 
vault write database/roles/hcvop-demo-role \
    db_name="hcvop-db" \
    default_ttl="4h" \
    max_ttl="24h" \
    creation_statements="
      CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
      GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";
    "
  • db_name: Must match the configuration name (hcvop-db).
  • default_ttl/max_ttl: Time-to-live for generated credentials.
  • creation_statements: SQL executed to create a new user with permissions.
Verify the role: 
vault read database/roles/hcvop-demo-role

Key                   Value
---                   -----
creation_statements   [CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";]
db_name               hcvop-db
default_ttl           4h
max_ttl               24h

5. Rotate the Root Credentials

Regularly rotating your admin credentials reduces risk: 
vault write -f database/rotate-root/hcvop-db

Success! Data written to: database/rotate-root/hcvop-db
After rotation, the old admin credentials become invalid immediately. Update any systems relying on these credentials.

6. Generate Dynamic Credentials

Applications can now request short-lived credentials: 
vault read database/creds/hcvop-demo-role

Key             Value
---             -----
lease_id        database/creds/hcvop-demo-role/sTmzKcBPw1uGOygvuPpc4i3i
lease_duration  4h
lease_renewable true
username        v-root-hcvop-de-Mop0jmV6qCkFhmuT6ftu-1652122668
password        wzpc9Br-CTAuvZw-aS50
These credentials automatically expire after the TTL unless renewed.

7. Revoke Leases and Cleanup

Revoke a Single Lease

vault lease revoke database/creds/hcvop-demo-role/sTmzKcBPw1uGOygvuPpc4i3i

Revoke All Leases for a Role

vault lease revoke -prefix database/creds/hcvop-demo-role
Vault will run the appropriate SQL to drop the dynamic users in your database.

References

Watch Video

Practice Lab