+ added Redis ElastiCache documentation (#17133)
* added Redis ElastiCache documentation
This commit is contained in:
parent
05a5928b8d
commit
709c1bebf6
|
@ -0,0 +1,53 @@
|
|||
---
|
||||
layout: api
|
||||
page_title: Redis ElastiCache - Database - Secrets Engines - HTTP API
|
||||
description: >-
|
||||
The Redis ElastiCache plugin for Vault's database secrets engine generates new passwords for ElastiCache users.
|
||||
---
|
||||
|
||||
# Redis ElastiCache Database Plugin HTTP API
|
||||
|
||||
The Redis ElastiCache database plugin is one of the supported plugins for the database
|
||||
secrets engine. This plugin generates static database credentials based on
|
||||
configured roles for the Redis ElastiCache database.
|
||||
|
||||
## Configure Connection
|
||||
|
||||
In addition to the parameters defined by the [Database
|
||||
Secrets Engine](/api-docs/secret/databases#configure-connection), this plugin
|
||||
has a number of parameters to further configure a connection.
|
||||
|
||||
| Method | Path |
|
||||
| :----- | :----------------------- |
|
||||
| `POST` | `/database/config/:name` |
|
||||
|
||||
### Parameters
|
||||
|
||||
- `url` `(string: <required>)` – Specifies the primary endpoint to connect to.
|
||||
|
||||
- `username` `(string)` – Specifies the IAM access_key_id for Vault to use. If omitted, authentication fallbacks on the AWS credentials provider chain and tries to infer authentication from the environment.
|
||||
|
||||
- `password` `(string)` – Specifies the IAM secret_access_key corresponding to
|
||||
the given access_key_id. If omitted, authentication fallbacks on the AWS credentials provider chain and tries to infer authentication from the environment.
|
||||
|
||||
### Sample Payload
|
||||
|
||||
```json
|
||||
{
|
||||
"plugin_name": "redis-elasticache-database-plugin",
|
||||
"url": "primary-endpoint.my-cluster.xxx.yyy.cache.amazonaws.com:6379",
|
||||
"username": "AKI***",
|
||||
"password": "ktriNYvULAWLzUmTGb***",
|
||||
"allowed-roles": "*"
|
||||
}
|
||||
```
|
||||
|
||||
### Sample Request
|
||||
|
||||
```shell-session
|
||||
$ curl \
|
||||
--header "X-Vault-Token: ..." \
|
||||
--request POST \
|
||||
--data @payload.json \
|
||||
http://127.0.0.1:8200/v1/database/config/my-redis-cluster
|
||||
```
|
|
@ -62,6 +62,7 @@ exists within the Vault repository, the plugin can be built as instructed in
|
|||
- [MySQL/MariaDB](/api-docs/secret/databases/mysql-maria)
|
||||
- [Oracle Database](https://github.com/hashicorp/vault-plugin-database-oracle) <Tag title='external' color='yellow' />
|
||||
- [PostgreSQL](/api-docs/secret/databases/postgresql)
|
||||
- [Redis ElastiCache](/api-docs/secret/databases/rediselasticache)
|
||||
- [Redshift](/api-docs/secret/databases/redshift)
|
||||
- [Snowflake](https://github.com/hashicorp/vault-plugin-database-snowflake)
|
||||
|
||||
|
|
|
@ -133,21 +133,22 @@ As of Vault 1.6, all databases support dynamic roles and static roles. All plugi
|
|||
the root user's credentials. MongoDB Atlas cannot support rotating the root user's credentials because it uses a public
|
||||
and private key pair to authenticate.
|
||||
|
||||
| Database | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types |
|
||||
| ----------------------------------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |---------------------------|
|
||||
| [Cassandra](/docs/secrets/databases/cassandra) | Yes | Yes | Yes (1.6+) | Yes (1.7+) | password |
|
||||
| [Couchbase](/docs/secrets/databases/couchbase) | Yes | Yes | Yes | Yes (1.7+) | password |
|
||||
| [Elasticsearch](/docs/secrets/databases/elasticdb) | Yes | Yes | Yes (1.6+) | Yes (1.8+) | password |
|
||||
| [HanaDB](/docs/secrets/databases/hanadb) | Yes (1.6+) | Yes | Yes (1.6+) | Yes (1.12+) | password |
|
||||
| [InfluxDB](/docs/secrets/databases/influxdb) | Yes | Yes | Yes (1.6+) | Yes (1.8+) | password |
|
||||
| [MongoDB](/docs/secrets/databases/mongodb) | Yes | Yes | Yes | Yes (1.7+) | password |
|
||||
| [MongoDB Atlas](/docs/secrets/databases/mongodbatlas) | No | Yes | Yes | Yes (1.8+) | password |
|
||||
| [MSSQL](/docs/secrets/databases/mssql) | Yes | Yes | Yes | Yes (1.7+) | password |
|
||||
| [MySQL/MariaDB](/docs/secrets/databases/mysql-maria) | Yes | Yes | Yes | Yes (1.7+) | password |
|
||||
| [Oracle](/docs/secrets/databases/oracle) | Yes | Yes | Yes | Yes (1.7+) | password |
|
||||
| [PostgreSQL](/docs/secrets/databases/postgresql) | Yes | Yes | Yes | Yes (1.7+) | password |
|
||||
| [Redshift](/docs/secrets/databases/redshift) | Yes | Yes | Yes | Yes (1.8+) | password |
|
||||
| [Snowflake](/docs/secrets/databases/snowflake) | Yes | Yes | Yes | Yes (1.8+) | password, rsa_private_key |
|
||||
| Database | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types |
|
||||
| ---------------------------------------------------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |---------------------------|
|
||||
| [Cassandra](/docs/secrets/databases/cassandra) | Yes | Yes | Yes (1.6+) | Yes (1.7+) | password |
|
||||
| [Couchbase](/docs/secrets/databases/couchbase) | Yes | Yes | Yes | Yes (1.7+) | password |
|
||||
| [Elasticsearch](/docs/secrets/databases/elasticdb) | Yes | Yes | Yes (1.6+) | Yes (1.8+) | password |
|
||||
| [HanaDB](/docs/secrets/databases/hanadb) | Yes (1.6+) | Yes | Yes (1.6+) | Yes (1.12+) | password |
|
||||
| [InfluxDB](/docs/secrets/databases/influxdb) | Yes | Yes | Yes (1.6+) | Yes (1.8+) | password |
|
||||
| [MongoDB](/docs/secrets/databases/mongodb) | Yes | Yes | Yes | Yes (1.7+) | password |
|
||||
| [MongoDB Atlas](/docs/secrets/databases/mongodbatlas) | No | Yes | Yes | Yes (1.8+) | password |
|
||||
| [MSSQL](/docs/secrets/databases/mssql) | Yes | Yes | Yes | Yes (1.7+) | password |
|
||||
| [MySQL/MariaDB](/docs/secrets/databases/mysql-maria) | Yes | Yes | Yes | Yes (1.7+) | password |
|
||||
| [Oracle](/docs/secrets/databases/oracle) | Yes | Yes | Yes | Yes (1.7+) | password |
|
||||
| [PostgreSQL](/docs/secrets/databases/postgresql) | Yes | Yes | Yes | Yes (1.7+) | password |
|
||||
| [Redis ElastiCache](/docs/secrets/databases/rediselasticache) | No | No | Yes | No | password |
|
||||
| [Redshift](/docs/secrets/databases/redshift) | Yes | Yes | Yes | Yes (1.8+) | password |
|
||||
| [Snowflake](/docs/secrets/databases/snowflake) | Yes | Yes | Yes | Yes (1.8+) | password, rsa_private_key |
|
||||
|
||||
## Custom Plugins
|
||||
|
||||
|
|
|
@ -0,0 +1,87 @@
|
|||
---
|
||||
layout: docs
|
||||
page_title: Redis ElastiCache - Database - Secrets Engines
|
||||
description: |-
|
||||
Redis ElastiCache is one of the supported plugins for the database secrets engine.
|
||||
This plugin generates static credentials for existing managed roles.
|
||||
---
|
||||
|
||||
# Redis ElastiCache Database Secrets Engine
|
||||
|
||||
Redis ElastiCache is one of the supported plugins for the database secrets engine.
|
||||
This plugin generates static credentials for existing managed roles.
|
||||
|
||||
See the [database secrets engine](/docs/secrets/databases) docs for
|
||||
more information about setting up the database secrets engine.
|
||||
|
||||
## Capabilities
|
||||
|
||||
| Plugin Name | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization |
|
||||
| --------------------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |
|
||||
| `redis-elasticache-database-plugin` | No | No | Yes | No |
|
||||
|
||||
## Setup
|
||||
|
||||
1. Enable the database secrets engine if it is not already enabled:
|
||||
|
||||
```shell-session
|
||||
$ vault secrets enable database
|
||||
Success! Enabled the database secrets engine at: database/
|
||||
```
|
||||
|
||||
By default, the secrets engine will enable at the name of the engine. To
|
||||
enable the secrets engine at a different path, use the `-path` argument.
|
||||
|
||||
1. Configure Vault with the proper plugin and connection configuration:
|
||||
|
||||
```shell-session
|
||||
$ vault write database/config/my-redis-elasticache-cluster \
|
||||
plugin_name="redis-elasticache-database-plugin" \
|
||||
url="primary-endpoint.my-cluster.xxx.yyy.cache.amazonaws.com:6379" \
|
||||
username="AKI***" \
|
||||
password="ktriNYvULAWLzUmTGb***" \
|
||||
allowed_roles="*"
|
||||
```
|
||||
|
||||
~> **Note**: The username and password parameters are optional. If omitted, authentication falls back on the AWS credentials provider chain.
|
||||
Using a [temporary credential](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) stored in the proper environment
|
||||
variable is the preferred configuration method.
|
||||
|
||||
## Usage
|
||||
|
||||
After the secrets engine is configured, write static roles to enable generating credentials.
|
||||
|
||||
### Static roles
|
||||
|
||||
1. Configure a static role that maps a name in Vault to an existing Redis ElastiCache user.
|
||||
|
||||
```shell-session
|
||||
$ vault write database/static-roles/my-static-role \
|
||||
db_name="my-redis-elasticache-cluster" \
|
||||
username="my-existing-redis-user" \
|
||||
rotation_period=5m
|
||||
Success! Data written to: database/static-roles/my-static-role
|
||||
```
|
||||
|
||||
1. Retrieve the credentials from the `/static-creds` endpoint:
|
||||
|
||||
```shell-session
|
||||
$ vault read database/static-creds/my-static-role
|
||||
Key Value
|
||||
--- -----
|
||||
last_vault_rotation 2022-09-14T11:45:57.24715105-04:00
|
||||
password GKdS6qY-UtVAMpcD9iuu
|
||||
rotation_period 5m
|
||||
ttl 4m48s
|
||||
username my-existing-redis-user
|
||||
```
|
||||
|
||||
~> **Note**: New passwords may take up-to a couple of minutes before ElastiCache has the chance to complete their configuration.
|
||||
It is recommended to use a retry strategy when establishing new Redis ElastiCache connections. This may prevent errors when
|
||||
trying to use a password that isn't yet live on the targeted ElastiCache cluster.
|
||||
|
||||
## API
|
||||
|
||||
The full list of configurable options can be seen in the [Redis ElastiCache Database Plugin API](/api-docs/secret/databases/rediselasticache) page.
|
||||
|
||||
For more information on the database secrets engine's HTTP API please see the [Database Secrets Engine API](/api-docs/secret/databases) page.
|
|
@ -101,6 +101,10 @@
|
|||
"title": "PostgreSQL",
|
||||
"path": "secret/databases/postgresql"
|
||||
},
|
||||
{
|
||||
"title": "Redis ElastiCache",
|
||||
"path": "secret/databases/rediselasticache"
|
||||
},
|
||||
{
|
||||
"title": "Redshift",
|
||||
"path": "secret/databases/redshift"
|
||||
|
|
|
@ -996,6 +996,10 @@
|
|||
"title": "PostgreSQL",
|
||||
"path": "secrets/databases/postgresql"
|
||||
},
|
||||
{
|
||||
"title": "Redis ElastiCache",
|
||||
"path": "secrets/databases/rediselasticache"
|
||||
},
|
||||
{
|
||||
"title": "Redshift",
|
||||
"path": "secrets/databases/redshift"
|
||||
|
|
Loading…
Reference in New Issue