Skip to main content

Documentation Index

Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt

Use this file to discover all available pages before exploring further.

In this guide, you’ll learn how to enable and configure HashiCorp Vault’s Database Secrets Engine to manage dynamic credentials for a PostgreSQL database running in AWS RDS. We’ll cover:
  1. Verifying enabled secrets engines
  2. Enabling the Database Secrets Engine
  3. Configuring the database connection
  4. Creating a dynamic role
  5. Rotating root credentials
  6. Generating dynamic credentials
  7. Revoking leases and cleanup

Prerequisites

  • A running Vault server (vault status returns OK)
  • Network connectivity from Vault to your RDS instance (security group, firewall)
  • AWS RDS PostgreSQL endpoint, admin username, and password

1. Verify Enabled Secrets Engines

Start by listing all secrets engines currently enabled: 
vault secrets list
Expected output: 
Path         Type        Accessor           Description
----         ----        --------           -----------
aws/         aws         aws_9de29d31       n/a
cubbyhole/   cubbyhole   cubbyhole_772dff42 per-token private secret storage
identity/    identity    identity_8efc4dd9  identity store
sys/         system      system_5d807a2a    system endpoints used for control, policy and debugging
The database/ engine should not appear yet.

2. Enable the Database Secrets Engine

Enable the database engine at its default mount path: 
vault secrets enable database
You should see: 
Success! Enabled the database secrets engine at: database/
Verify it’s listed: 
vault secrets list

Path         Type        Accessor          Description
----         ----        --------          -----------
aws/         aws         aws_9de29d31      n/a
cubbyhole/   cubbyhole   cubbyhole_772dff42 per-token private secret storage
database/    database    database_123abc   n/a
identity/    identity    identity_8efc4dd9 identity store
sys/         system      system_5d807a2a   system endpoints used for control, policy and debugging

3. Configure the Database Connection

Create a Vault “database configuration” named hcvop-db that points to your AWS RDS PostgreSQL instance: 
vault write database/config/hcvop-db \
    plugin_name=postgresql-database-plugin \
    allowed_roles="hcvop-demo-role" \
    connection_url="postgresql://{{username}}:{{password}}@postgres01.cxojwmhweukf.us-east-1.rds.amazonaws.com:5432/" \
    username="postgres" \
    password="vaultdemo123"
ParameterDescriptionExample
plugin_nameThe database plugin to usepostgresql-database-plugin
allowed_rolesRoles permitted to generate credentials via this connectionhcvop-demo-role
connection_urlTemplate URL with placeholders for the admin credentialspostgresql://{{username}}:{{password}}@your-rds-host:5432/
username/passwordAdmin credentials Vault will use to manage the database (rotations, user creation, etc.)postgres / vaultdemo123
Success message: 
Success! Data written to: database/config/hcvop-db
To inspect the saved configuration: 
vault read database/config/hcvop-db

Key                       Value
---                       -----
allowed_roles             [hcvop-demo-role]
connection_url            postgresql://{{username}}:{{password}}@postgres01.cxojwmhweukf.us-east-1.rds.amazonaws.com:5432/
plugin_name               postgresql-database-plugin
password_policy           n/a
root_credentials_rotate_statements []
Vault does not show the stored username and password for security reasons.

4. Create a Dynamic Role

A Vault “role” defines how dynamic users are created and what permissions they have: 
vault write database/roles/hcvop-demo-role \
    db_name="hcvop-db" \
    default_ttl="4h" \
    max_ttl="24h" \
    creation_statements="
      CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
      GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";
    "
  • db_name: Must match the configuration name (hcvop-db).
  • default_ttl/max_ttl: Time-to-live for generated credentials.
  • creation_statements: SQL executed to create a new user with permissions.
Verify the role: 
vault read database/roles/hcvop-demo-role

Key                   Value
---                   -----
creation_statements   [CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";]
db_name               hcvop-db
default_ttl           4h
max_ttl               24h

5. Rotate the Root Credentials

Regularly rotating your admin credentials reduces risk: 
vault write -f database/rotate-root/hcvop-db

Success! Data written to: database/rotate-root/hcvop-db
After rotation, the old admin credentials become invalid immediately. Update any systems relying on these credentials.

6. Generate Dynamic Credentials

Applications can now request short-lived credentials: 
vault read database/creds/hcvop-demo-role

Key             Value
---             -----
lease_id        database/creds/hcvop-demo-role/sTmzKcBPw1uGOygvuPpc4i3i
lease_duration  4h
lease_renewable true
username        v-root-hcvop-de-Mop0jmV6qCkFhmuT6ftu-1652122668
password        wzpc9Br-CTAuvZw-aS50
These credentials automatically expire after the TTL unless renewed.

7. Revoke Leases and Cleanup

Revoke a Single Lease

vault lease revoke database/creds/hcvop-demo-role/sTmzKcBPw1uGOygvuPpc4i3i

Revoke All Leases for a Role

vault lease revoke -prefix database/creds/hcvop-demo-role
Vault will run the appropriate SQL to drop the dynamic users in your database.

References

Watch Video

Practice Lab