vault
vault copied to clipboard
hashicorp
Support creation statements for database Static Role creation
Is your feature request related to a problem? Please describe.
When setting up a Postgres Static Role in Vault, we first need to create externally a role in Postgres. Example (extracted from https://learn.hashicorp.com/vault/secrets-management/db-creds-rotation):
CREATE ROLE "vault-edu" WITH LOGIN PASSWORD 'mypassword';
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "vault-edu";
This prevents us from having a fully automated process (using Terraform) to create a set static roles for Vault.
Describe the solution you'd like
In my point of view, supporting an additional parameter in the static-role creation endpoint (e.g. v1/database/static-roles) called creation_statements would be ideal. Similarly to dynamic roles, the creation statements would be used to create the static roles and they would work nicely with the already existing rotation_statements to cover the rotation side of things.
Describe alternatives you've considered
The alternative to allow full automation when creating static roles is to create a database user externally via the cloud provider APIs (e.g. gcloud sql API), but this is very limited and the users created via that API will be super-users instead of regular ones, which is far from ideal.
Explain any additional use-cases
n/a
Additional context
n/a
Thanks for your feature request!
Can a dynamic role be used instead of a static role? It seems like this might solve your problem.
Agreed. I think the static role definitions need to support creation_statements, deletion_statements, and rotation_statements. And this should be mapped 1:1 with the lifetime of the corresponding Vault role. So the user is created when the Vault role is created, and deleted when the Vault role is deleted.
Advantages:
-
This will make this a completely automated process.
-
I have a use case where I run a set of long running (7-14 days) jobs, which come up and go down randomly. Now this can be solved easily by using a static-role. This will help me use the Vault API to configure the lifetime of the DB user and then delete them automatically. Currently, since this is absent, I have to much around with the DB with another tool or script something out, add it to the CI/pipeline and make this happen. It doesn't hurt that Vault is already trusted by the DB and so should be able to create the user and delete it as required.
Interested to know if anyone managed to use procedural code in the rotation_statements, like so:
rotation_statements = [local.create_role,"ALTER ROLE \"{{username}}\" WITH PASSWORD '{{password}}';"]
where create_role is defined as
create_role = <<EOF
DO
$do$
BEGIN
IF EXISTS (SELECT FROM pg_catalog.pg_roles
WHERE rolname = '{{username}}'
) THEN
RAISE NOTICE 'SKIP ROLE MAKER!';
ELSE
CREATE ROLE "{{username}}" LOGIN PASSWORD 'whatever';
END IF;
END
$do$;
EOF
We cannot use the postgresql provider in this case due to the way the connection to the database works. In short, Vault has access to it but the instance from where TF is being run doesn't.
Hi, any update regarding this? This is a very common and must-have feature in case of static db roles
This would be very useful. Some applications need consistent usernames and/or cannot fetch credentials directly from vault, but we still define those in Terraform and secure the passwords in Vault as static roles.
Unfortunately, currently this means that bootstrap grants for dynamic user roles are cleanly defined in Terraform and Vault, but static user roles have their bootstrap grants managed in a completely separate process, outside of Vault, and outside Terraform entirely.
