backport of commit c2f5ee0c6251e519c14de5d89a4ce337c688cb10 (#23687)

Co-authored-by: Jonathan Frappier <92055993+jonathanfrappier@users.noreply.github.com>
2023-10-17 10:25:46 -04:00 · 2023-10-17 10:25:46 -04:00 · 1db5482bef
parent ea40c49f6a
commit 1db5482bef
1 changed files with 65 additions and 1 deletions
--- a/website/content/docs/secrets/databases/index.mdx
+++ b/website/content/docs/secrets/databases/index.mdx
@ -43,7 +43,7 @@ access the associated user account in the database.
 <Warning title="Do not use static roles for root database credentials">
   Do not manage the same root database credentials that you provide to Vault in
   <tt>config/</tt> with static roles.
-   
+
   Vault does not distinguish between standard credentials and root credentials
   when rotating passwords. If you assign your root credentials to a static
   role, any dynamic or static users managed by that database configuration will
@ -241,6 +241,70 @@ password='your#StrongPassword%' \
 disable_escaping="true"
 ```

+## Unsupported databases
+
+### AWS DynamoDB
+
+Amazon Web Services (AWS) DynamoDB is a fully managed, serverless, key-value NoSQL database service. While
+DynamoDB is not supported by the database secrets engine, you can use the [AWS secrets engine](/vault/docs/secrets/aws)
+to provision dynamic credentials capable of accessing DynamoDB.
+
+1. Verify you have the AWS secrets engine enabled and configured.
+
+1. Create a role with the necessary permissions for your users to access DynamoDB. For example:
+
+   ```shell-session
+   $ vault write aws/roles/aws-dynamodb-read \
+           credential_type=iam_user \
+           policy_document=-<<EOF
+   {
+   	"Version": "2012-10-17",
+   	"Statement": [
+   		{
+   			"Effect": "Allow",
+   			"Action": [
+   				"dynamodb:DescribeTable",
+   				"dynamodb:GetItem",
+   				"dynamodb:GetRecords"
+   			],
+   			"Resource": "arn:aws:dynamodb:us-east-1:1234567891:table/example-table"
+   		},
+   		{
+   			"Effect": "Allow",
+   			"Action": "dynamodb:ListTables",
+   			"Resource": "*"
+   		}
+   	]
+   }
+   EOF
+   ```
+
+1. Generate dynamic credentials for DynamoDB using the `aws-dynamodb-read` role:
+
+   ```shell-session
+   $ vault read aws/creds/aws-dynamodb-read
+   Key                Value
+   ---                -----
+   lease_id           aws/creds/my-role/kbSnl9WSDzOXQerd8GiVh75N.DACNl
+   lease_duration     1h
+   lease_renewable    true
+   access_key         AKALMNOP123456
+   secret_key         xY4XhS3AsM3s+R33tCaybsT2XI6BVL+vF+khbbYD
+   security_token     <nil>
+   ```
+
+1. Use the dynamic credentials generated by Vault to access DynamoDB. For example, to connect with the
+   the [AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/dynamodb/).
+
+   ```shell-session
+   $ aws dynamodb list-tables --region us-east-1
+   {
+       "TableNames": [
+           "example-table"
+       ]
+   }
+   ```
+
 ## Tutorial

 Refer to the following step-by-step tutorials for more information: