Create dynamic mysql secret in vault

Today I’m going to talk about the dynamic secret in vault by a demo.

prerequisite: you have already have a kubernetes cluster, a vault server and a mysql instance running in the cluster. I created the mysql and vault all by using helm. you can find the helm chart. I will not paste the detail here. try to stay the focus on the dynamic secret.

Database side:

create database dev;
create user 'vault'@'%';
grant all on *.* to 'vault'@'%' identified by 'P@ssw0rd';
grant grant option on example.* to 'vault'@'%';

Vault side:

# configure mysql plugin
vault write database/config/dev \
    plugin_name=mysql-database-plugin \
    connection_url="{{username}}:{{password}}@tcp(MYSQL_IP:3306)/" \
    allowed_roles="dev" \
    username="vault" \

# configure role
vault write database/roles/dev \
    db_name=dev \
    creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT ALL ON example.* TO '{{name}}'@'%';" \
    default_ttl="1h" \

Generate secret:

vault read database/creds/dev
Key                Value
---                -----
lease_id           database/creds/dev/OZnoVDMYqyUnDPZ6VVB2KN5
lease_duration     1h
lease_renewable    true
password           A1a-ChnbxQiFwZ3VpLa
username           v-root-dev-F3dcPKuc4YHv5TMFYGKR-