Using Static and Dynamic Vault Database Credentials
Accessing Vault
Web:
1. Connect to the DBAA Vault Instance.
2. Make sure that 'ldap' is highlighted
3. Enter your PID for your Username and your PID password for Password
4. A DUO Two factor request will be sent to your default two-factor device. Approve it
Command Line:
1. If you've never used the Vault command line tool do the following:
1. Download the Vault command line tool for your operating system from https://www.vaultproject.io/downloads.html
2. Unzip the file and copy the vault executable to a place in your PATH
3. Set the VAULT_ADDR environment variable to https://vault.es.cloud.vt.edu:8200
2. Login to vault using the command line tool. A DUO Two factor request will be sent to your default two-factor device
Logging into Vault
vault login -method=ldap username=<pid>
3. The resulting token will be saved in the .vault-token file in your home directory. It is valid for 9 hours by default.
Unwrapping Tokens
Credentials may be provided as a 'wrapping token'. Wrapping tokens are generally valid for a short period of time ( less than a day, typically) and may be used only once. A wrapping token may be unwrapped through the web interface or the command line.
web:
1. Login to the web interface
2. Navigate to the Tools tab
3. Select Unwrap on the left panel
4. Enter or paste the wrapping token into the 'Wrapping Token' field
5. Select "Unwrap Data"
Command Line:
Unwrapping a Token
vault unwrap <token>
Wrapping Tokens are One-Time use. If you are unable to unwrap a token inform the provider as soon as possible as it may indicate that an unintended party has already unwrapped the token.
Dynamic Database Credentials
Vault is able to generate database credentials dynamically. These credentials generally have a time to live of 9 hours but may be renewed up to a maximum of 24 hours. When credentials are requested a temporary database user will be created with appropriate roles. The Vault command line tool is required to request or renew dynamic credentials.
Requesting Credentials:
Credentials Request
% vault read database/creds/playground
Key Value
--- -----
lease_id database/creds/playground/75aUgFGjBQf59Rxg4joGXOoR
lease_duration 9h
lease_renewable true
password A1a-uPP0CdC3ZHFXtK8q
username v-ldap-cmc-playgrou-rBeG6GK0OwFvngztxMss-1567007737
Renewing Credentials:
Renewing Credentials
% vault lease renew database/creds/playground/75aUgFGjBQf59Rxg4joGXOoR
Key Value
--- -----
lease_id database/creds/playground/75aUgFGjBQf59Rxg4joGXOoR
lease_duration 9h
lease_renewable true
Static Database Credentials
Vault is able to rotate passwords for Database users that are not dynamically created by Vault. The path for the secrets is <database CNAME>/static-creds/<database username>. The password can be manually rotated by writing an empty value to <database CNAME>/rotate-role/<database username>. In the following examples the database CNAME is 'pgdvlp-na.db.es.cloud.vt.edu' and the database username is 'myuser'
Requesting Credentials:
Credentials Request
% vault read pgdvlp-na.db.es.cloud.vt.edu/static-creds/myuser
Key Value
--- -----
last_vault_rotation 2022-02-08T21:04:54.148414737Z
password kUv6GXr1=eHgoAuGm.OEZ*T^
rotation_period 2160h
ttl 2159h31m34s
username mouser
Manually Rotation of Credentials:
Credential Rotation
% vault write -f pgdvlp-na.db.es.cloud.vt.edu/rotate-role/myuser
% vault read pgdvlp-na.db.es.cloud.vt.edu/static-creds/myuser
Key Value
--- -----
last_vault_rotation 2022-02-08T21:35:03.310718866Z
password aw1op8cab-qnwfyamPfY
rotation_period 2160h
ttl 2159h59m34s
username myuser