2017-05-03 07:01:28 +00:00
|
|
|
---
|
|
|
|
layout: "docs"
|
2017-09-20 20:05:00 +00:00
|
|
|
page_title: "Custom - Database - Secrets Engines"
|
2017-05-03 07:01:28 +00:00
|
|
|
sidebar_current: "docs-secrets-databases-custom"
|
|
|
|
description: |-
|
2017-09-20 20:05:00 +00:00
|
|
|
The database secrets engine allows new functionality to be added through a
|
|
|
|
plugin interface without needing to modify vault's core code. This allows you
|
|
|
|
write your own code to generate credentials in any database you wish. It also
|
|
|
|
allows databases that require dynamically linked libraries to be used as
|
|
|
|
plugins while keeping Vault itself statically linked.
|
2017-05-03 07:01:28 +00:00
|
|
|
---
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
# Custom Database Secrets Engines
|
2017-05-03 07:01:28 +00:00
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
The database secrets engine allows new functionality to be added through a
|
|
|
|
plugin interface without needing to modify vault's core code. This allows you
|
|
|
|
write your own code to generate credentials in any database you wish. It also
|
|
|
|
allows databases that require dynamically linked libraries to be used as plugins
|
|
|
|
while keeping Vault itself statically linked.
|
2017-05-03 07:01:28 +00:00
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
~> **Advanced topic!** Plugin development is a highly advanced topic in Vault,
|
|
|
|
and is not required knowledge for day-to-day usage. If you don't plan on writing
|
|
|
|
any plugins, we recommend not reading this section of the documentation.
|
2017-05-03 07:01:28 +00:00
|
|
|
|
|
|
|
Please read the [Plugins internals](/docs/internals/plugins.html) docs for more
|
|
|
|
information about the plugin system before getting started building your
|
|
|
|
Database plugin.
|
|
|
|
|
|
|
|
## Plugin Interface
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
All plugins for the database secrets engine must implement the same simple interface.
|
2017-05-03 07:01:28 +00:00
|
|
|
|
|
|
|
```go
|
|
|
|
type Database interface {
|
|
|
|
Type() (string, error)
|
2017-06-07 18:20:13 +00:00
|
|
|
CreateUser(statements Statements, usernameConfig UsernameConfig, expiration time.Time) (username string, password string, err error)
|
2017-05-03 07:01:28 +00:00
|
|
|
RenewUser(statements Statements, username string, expiration time.Time) error
|
|
|
|
RevokeUser(statements Statements, username string) error
|
|
|
|
|
|
|
|
Initialize(config map[string]interface{}, verifyConnection bool) error
|
|
|
|
Close() error
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
You'll notice the first parameter to a number of those functions is a
|
|
|
|
`Statements` struct. This struct is used to pass the Role's configured
|
|
|
|
statements to the plugin on function call. The struct is defined as:
|
|
|
|
|
|
|
|
```go
|
|
|
|
type Statements struct {
|
2017-08-14 14:46:39 +00:00
|
|
|
CreationStatements string
|
2017-05-03 07:01:28 +00:00
|
|
|
RevocationStatements string
|
2017-08-14 14:46:39 +00:00
|
|
|
RollbackStatements string
|
|
|
|
RenewStatements string
|
2017-05-03 07:01:28 +00:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
It is up to your plugin to replace the `{{name}}`, `{{password}}`, and
|
|
|
|
`{{expiration}}` in these statements with the proper vaules.
|
|
|
|
|
|
|
|
The `Initialize` function is passed a map of keys to values, this data is what the
|
|
|
|
user specified as the configuration for the plugin. Your plugin should use this
|
|
|
|
data to make connections to the database. It is also passed a boolean value
|
|
|
|
specifying whether or not your plugin should return an error if it is unable to
|
|
|
|
connect to the database.
|
|
|
|
|
|
|
|
## Serving your plugin
|
|
|
|
|
|
|
|
Once your plugin is built you should pass it to vault's `plugins` package by
|
|
|
|
calling the `Serve` method:
|
|
|
|
|
|
|
|
```go
|
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
|
|
|
"github.com/hashicorp/vault/plugins"
|
|
|
|
)
|
|
|
|
|
|
|
|
func main() {
|
|
|
|
plugins.Serve(new(MyPlugin), nil)
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
Replacing `MyPlugin` with the actual implementation of your plugin.
|
|
|
|
|
|
|
|
The second parameter to `Serve` takes in an optional vault `api.TLSConfig` for
|
|
|
|
configuring the plugin to communicate with vault for the initial unwrap call.
|
2017-05-03 09:13:07 +00:00
|
|
|
This is useful if your vault setup requires client certificate checks. This
|
2017-05-03 07:01:28 +00:00
|
|
|
config wont be used once the plugin unwraps its own TLS cert and key.
|
|
|
|
|
|
|
|
## Running your plugin
|
|
|
|
|
|
|
|
The above main package, once built, will supply you with a binary of your
|
|
|
|
plugin. We also recommend if you are planning on distributing your plugin to
|
2017-08-14 14:46:39 +00:00
|
|
|
build with [gox](https://github.com/mitchellh/gox) for cross platform builds.
|
2017-05-03 07:01:28 +00:00
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
To use your plugin with the database secrets engine you need to place the binary in the
|
2017-08-14 14:46:39 +00:00
|
|
|
plugin directory as specified in the [plugin internals](/docs/internals/plugins.html) docs.
|
2017-05-03 07:01:28 +00:00
|
|
|
|
|
|
|
You should now be able to register your plugin into the vault catalog. To do
|
2017-08-14 14:46:39 +00:00
|
|
|
this your token will need sudo permissions.
|
2017-05-03 07:01:28 +00:00
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
```text
|
2017-08-14 14:46:39 +00:00
|
|
|
$ vault write sys/plugins/catalog/myplugin-database-plugin \
|
2017-09-20 20:05:00 +00:00
|
|
|
sha_256="..." \
|
2017-05-03 07:01:28 +00:00
|
|
|
command="myplugin"
|
|
|
|
Success! Data written to: sys/plugins/catalog/myplugin-database-plugin
|
|
|
|
```
|
|
|
|
|
|
|
|
Now you should be able to configure your plugin like any other:
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
```text
|
2017-05-03 07:01:28 +00:00
|
|
|
$ vault write database/config/myplugin \
|
|
|
|
plugin_name=myplugin-database-plugin \
|
|
|
|
allowed_roles="readonly" \
|
2017-09-20 20:05:00 +00:00
|
|
|
myplugins_connection_details="..."
|
2017-05-03 07:01:28 +00:00
|
|
|
```
|