Today I’m going to talk about the dynamic secret in vault by a demo.
prerequisite: you have already have a kubernetes cluster, a vault server and a mysql instance running in the cluster. I created the mysql and vault all by using helm. you can find the helm chart. I will not paste the detail here. try to stay the focus on the dynamic secret.
Database side:
create database dev; create user 'vault'@'%'; grant all on *.* to 'vault'@'%' identified by 'P@ssw0rd'; grant grant option on example.* to 'vault'@'%';
Vault side:
# configure mysql plugin
vault write database/config/dev \
plugin_name=mysql-database-plugin \
connection_url="{{username}}:{{password}}@tcp(MYSQL_IP:3306)/" \
allowed_roles="dev" \
username="vault" \
password="P@ssw0rd"
# configure role
vault write database/roles/dev \
db_name=dev \
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT ALL ON example.* TO '{{name}}'@'%';" \
default_ttl="1h" \
max_ttl="24h"
Generate secret:
vault read database/creds/dev Key Value --- ----- lease_id database/creds/dev/OZnoVDMYqyUnDPZ6VVB2KN5 lease_duration 1h lease_renewable true password A1a-ChnbxQiFwZ3VpLa username v-root-dev-F3dcPKuc4YHv5TMFYGKR-