backport of commit ce2851543f79e14611b1e8e5c997ad0fbe529dbf (#22633)

Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
This commit is contained in:
hc-github-team-secure-vault-core 2023-08-29 20:49:47 -04:00 committed by GitHub
parent dcc61f47f2
commit 568361c7a8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -28,18 +28,35 @@ become invalid within a reasonable time of the lease expiring.
### Static roles
The database secrets engine supports the concept of "static roles", which are
a 1-to-1 mapping of Vault Roles to usernames in a database. The current password
for the database user is stored and automatically rotated by Vault on a
configurable period of time. This is in contrast to dynamic secrets, where a
unique username and password pair are generated with each credential request.
When credentials are requested for the Role, Vault returns the current
password for the configured database user, allowing anyone with the proper
Vault policies to have access to the user account in the database.
With dynamic secrets, Vault generates a unique username and password pair for
each unique credential request. Vault also supports **static roles** for
some database secrets engines. Static roles are a 1-to-1 mapping of Vault roles
to usernames in a database. With static roles, Vault stores, and automatically
rotates, passwords for the associated database user based on a configurable
period of time.
-> Please consult the specific database documentation on the left navigation or
the table below under [Database Capabilities](#database-capabilities) to see if
a given database backend supports static roles.
When a client requests credentials for the static role, Vault
returns the current password for whichever database user is mapped to the
requested role. With static roles, anyone with the proper Vault policies can
access the associated user account in the database.
<Warning title="Do not use static roles for root database credentials">
Do not manage the same root database credentials that you provide to Vault in
<tt>config/</tt> with static roles.
Vault does not distinguish between standard credentials and root credentials
when rotating passwords. If you assign your root credentials to a static
role, any dynamic or static users managed by that database configuration will
fail after rotation because the password for <tt>config/</tt> is no longer
valid.
If you need to rotate root credentials, use the
[Rotate root credentials](vault/api-docs/secret/database/index.mdx#rotate-root-credentials)
API endpoint.
</Warning>
Consult the [database capabilities table](#db-capabilities-table) to determine
if your chosen database backend supports static roles.
## Setup
@ -134,6 +151,9 @@ As of Vault 1.6, all databases support dynamic roles and static roles. All plugi
the root user's credentials. MongoDB Atlas cannot support rotating the root user's credentials because it uses a public
and private key pair to authenticate.
<a id="db-capabilities-table" />
| Database | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types |
| ---------------------------------------------------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |---------------------------|
| [Cassandra](/vault/docs/secrets/databases/cassandra) | Yes | Yes | Yes (1.6+) | Yes (1.7+) | password |
@ -222,6 +242,7 @@ disable_escaping="true"
```
## Tutorial
Refer to the following step-by-step tutorials for more information:
- [Secrets as a Service: Dynamic Secrets](/vault/tutorials/db-credentials/database-secrets)