88 lines
3.5 KiB
Plaintext
88 lines
3.5 KiB
Plaintext
|
---
|
||
|
layout: docs
|
||
|
page_title: Redis ElastiCache - Database - Secrets Engines
|
||
|
description: |-
|
||
|
Redis ElastiCache is one of the supported plugins for the database secrets engine.
|
||
|
This plugin generates static credentials for existing managed roles.
|
||
|
---
|
||
|
|
||
|
# Redis ElastiCache Database Secrets Engine
|
||
|
|
||
|
Redis ElastiCache is one of the supported plugins for the database secrets engine.
|
||
|
This plugin generates static credentials for existing managed roles.
|
||
|
|
||
|
See the [database secrets engine](/docs/secrets/databases) docs for
|
||
|
more information about setting up the database secrets engine.
|
||
|
|
||
|
## Capabilities
|
||
|
|
||
|
| Plugin Name | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization |
|
||
|
| --------------------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |
|
||
|
| `redis-elasticache-database-plugin` | No | No | Yes | No |
|
||
|
|
||
|
## Setup
|
||
|
|
||
|
1. Enable the database secrets engine if it is not already enabled:
|
||
|
|
||
|
```shell-session
|
||
|
$ vault secrets enable database
|
||
|
Success! Enabled the database secrets engine at: database/
|
||
|
```
|
||
|
|
||
|
By default, the secrets engine will enable at the name of the engine. To
|
||
|
enable the secrets engine at a different path, use the `-path` argument.
|
||
|
|
||
|
1. Configure Vault with the proper plugin and connection configuration:
|
||
|
|
||
|
```shell-session
|
||
|
$ vault write database/config/my-redis-elasticache-cluster \
|
||
|
plugin_name="redis-elasticache-database-plugin" \
|
||
|
url="primary-endpoint.my-cluster.xxx.yyy.cache.amazonaws.com:6379" \
|
||
|
username="AKI***" \
|
||
|
password="ktriNYvULAWLzUmTGb***" \
|
||
|
allowed_roles="*"
|
||
|
```
|
||
|
|
||
|
~> **Note**: The username and password parameters are optional. If omitted, authentication falls back on the AWS credentials provider chain.
|
||
|
Using a [temporary credential](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) stored in the proper environment
|
||
|
variable is the preferred configuration method.
|
||
|
|
||
|
## Usage
|
||
|
|
||
|
After the secrets engine is configured, write static roles to enable generating credentials.
|
||
|
|
||
|
### Static roles
|
||
|
|
||
|
1. Configure a static role that maps a name in Vault to an existing Redis ElastiCache user.
|
||
|
|
||
|
```shell-session
|
||
|
$ vault write database/static-roles/my-static-role \
|
||
|
db_name="my-redis-elasticache-cluster" \
|
||
|
username="my-existing-redis-user" \
|
||
|
rotation_period=5m
|
||
|
Success! Data written to: database/static-roles/my-static-role
|
||
|
```
|
||
|
|
||
|
1. Retrieve the credentials from the `/static-creds` endpoint:
|
||
|
|
||
|
```shell-session
|
||
|
$ vault read database/static-creds/my-static-role
|
||
|
Key Value
|
||
|
--- -----
|
||
|
last_vault_rotation 2022-09-14T11:45:57.24715105-04:00
|
||
|
password GKdS6qY-UtVAMpcD9iuu
|
||
|
rotation_period 5m
|
||
|
ttl 4m48s
|
||
|
username my-existing-redis-user
|
||
|
```
|
||
|
|
||
|
~> **Note**: New passwords may take up-to a couple of minutes before ElastiCache has the chance to complete their configuration.
|
||
|
It is recommended to use a retry strategy when establishing new Redis ElastiCache connections. This may prevent errors when
|
||
|
trying to use a password that isn't yet live on the targeted ElastiCache cluster.
|
||
|
|
||
|
## API
|
||
|
|
||
|
The full list of configurable options can be seen in the [Redis ElastiCache Database Plugin API](/api-docs/secret/databases/rediselasticache) page.
|
||
|
|
||
|
For more information on the database secrets engine's HTTP API please see the [Database Secrets Engine API](/api-docs/secret/databases) page.
|