luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

+ added Redis ElastiCache documentation (#17133) 

* added Redis ElastiCache documentation
This commit is contained in:
Max Coulombe 2022-09-19 10:26:49 -04:00 committed by GitHub
parent 05a5928b8d
commit 709c1bebf6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 165 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
website/content/api-docs/secret/databases/rediselasticache.mdx Normal file
View File

@ -0,0 +1,53 @@
---
layout: api
page_title: Redis ElastiCache - Database - Secrets Engines - HTTP API
description: >-
The Redis ElastiCache plugin for Vault's database secrets engine generates new passwords for ElastiCache users.
---
# Redis ElastiCache Database Plugin HTTP API
The Redis ElastiCache database plugin is one of the supported plugins for the database
secrets engine. This plugin generates static database credentials based on
configured roles for the Redis ElastiCache database.
## Configure Connection
In addition to the parameters defined by the [Database
Secrets Engine](/api-docs/secret/databases#configure-connection), this plugin
has a number of parameters to further configure a connection.
| Method | Path |
| :----- | :----------------------- |
| `POST` | `/database/config/:name` |
### Parameters
- `url` `(string: <required>)` Specifies the primary endpoint to connect to.
- `username` `(string)` Specifies the IAM access_key_id for Vault to use. If omitted, authentication fallbacks on the AWS credentials provider chain and tries to infer authentication from the environment.
- `password` `(string)` Specifies the IAM secret_access_key corresponding to
the given access_key_id. If omitted, authentication fallbacks on the AWS credentials provider chain and tries to infer authentication from the environment.
### Sample Payload
```json
{
"plugin_name": "redis-elasticache-database-plugin",
"url": "primary-endpoint.my-cluster.xxx.yyy.cache.amazonaws.com:6379",
"username": "AKI***",
"password": "ktriNYvULAWLzUmTGb***",
"allowed-roles": "*"
}
```
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/database/config/my-redis-cluster
```

1
website/content/docs/plugins/plugin-portal.mdx
View File

@ -62,6 +62,7 @@ exists within the Vault repository, the plugin can be built as instructed in
- [MySQL/MariaDB](/api-docs/secret/databases/mysql-maria) - [MySQL/MariaDB](/api-docs/secret/databases/mysql-maria)
- [Oracle Database](https://github.com/hashicorp/vault-plugin-database-oracle) <Tag title='external' color='yellow' /> - [Oracle Database](https://github.com/hashicorp/vault-plugin-database-oracle) <Tag title='external' color='yellow' />
- [PostgreSQL](/api-docs/secret/databases/postgresql) - [PostgreSQL](/api-docs/secret/databases/postgresql)
- [Redis ElastiCache](/api-docs/secret/databases/rediselasticache)
- [Redshift](/api-docs/secret/databases/redshift) - [Redshift](/api-docs/secret/databases/redshift)
- [Snowflake](https://github.com/hashicorp/vault-plugin-database-snowflake) - [Snowflake](https://github.com/hashicorp/vault-plugin-database-snowflake)

31
website/content/docs/secrets/databases/index.mdx
View File

@ -133,21 +133,22 @@ As of Vault 1.6, all databases support dynamic roles and static roles. All plugi
the root user's credentials. MongoDB Atlas cannot support rotating the root user's credentials because it uses a public the root user's credentials. MongoDB Atlas cannot support rotating the root user's credentials because it uses a public
and private key pair to authenticate. and private key pair to authenticate.
| Database | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types | | Database | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types |
| ----------------------------------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |---------------------------| | ---------------------------------------------------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |---------------------------|
| [Cassandra](/docs/secrets/databases/cassandra) | Yes | Yes | Yes (1.6+) | Yes (1.7+) | password | | [Cassandra](/docs/secrets/databases/cassandra) | Yes | Yes | Yes (1.6+) | Yes (1.7+) | password |
| [Couchbase](/docs/secrets/databases/couchbase) | Yes | Yes | Yes | Yes (1.7+) | password | | [Couchbase](/docs/secrets/databases/couchbase) | Yes | Yes | Yes | Yes (1.7+) | password |
| [Elasticsearch](/docs/secrets/databases/elasticdb) | Yes | Yes | Yes (1.6+) | Yes (1.8+) | password | | [Elasticsearch](/docs/secrets/databases/elasticdb) | Yes | Yes | Yes (1.6+) | Yes (1.8+) | password |
| [HanaDB](/docs/secrets/databases/hanadb) | Yes (1.6+) | Yes | Yes (1.6+) | Yes (1.12+) | password | | [HanaDB](/docs/secrets/databases/hanadb) | Yes (1.6+) | Yes | Yes (1.6+) | Yes (1.12+) | password |
| [InfluxDB](/docs/secrets/databases/influxdb) | Yes | Yes | Yes (1.6+) | Yes (1.8+) | password | | [InfluxDB](/docs/secrets/databases/influxdb) | Yes | Yes | Yes (1.6+) | Yes (1.8+) | password |
| [MongoDB](/docs/secrets/databases/mongodb) | Yes | Yes | Yes | Yes (1.7+) | password | | [MongoDB](/docs/secrets/databases/mongodb) | Yes | Yes | Yes | Yes (1.7+) | password |
| [MongoDB Atlas](/docs/secrets/databases/mongodbatlas) | No | Yes | Yes | Yes (1.8+) | password | | [MongoDB Atlas](/docs/secrets/databases/mongodbatlas) | No | Yes | Yes | Yes (1.8+) | password |
| [MSSQL](/docs/secrets/databases/mssql) | Yes | Yes | Yes | Yes (1.7+) | password | | [MSSQL](/docs/secrets/databases/mssql) | Yes | Yes | Yes | Yes (1.7+) | password |
| [MySQL/MariaDB](/docs/secrets/databases/mysql-maria) | Yes | Yes | Yes | Yes (1.7+) | password | | [MySQL/MariaDB](/docs/secrets/databases/mysql-maria) | Yes | Yes | Yes | Yes (1.7+) | password |
| [Oracle](/docs/secrets/databases/oracle) | Yes | Yes | Yes | Yes (1.7+) | password | | [Oracle](/docs/secrets/databases/oracle) | Yes | Yes | Yes | Yes (1.7+) | password |
| [PostgreSQL](/docs/secrets/databases/postgresql) | Yes | Yes | Yes | Yes (1.7+) | password | | [PostgreSQL](/docs/secrets/databases/postgresql) | Yes | Yes | Yes | Yes (1.7+) | password |
| [Redshift](/docs/secrets/databases/redshift) | Yes | Yes | Yes | Yes (1.8+) | password | | [Redis ElastiCache](/docs/secrets/databases/rediselasticache) | No | No | Yes | No | password |
| [Snowflake](/docs/secrets/databases/snowflake) | Yes | Yes | Yes | Yes (1.8+) | password, rsa_private_key | | [Redshift](/docs/secrets/databases/redshift) | Yes | Yes | Yes | Yes (1.8+) | password |
| [Snowflake](/docs/secrets/databases/snowflake) | Yes | Yes | Yes | Yes (1.8+) | password, rsa_private_key |
## Custom Plugins ## Custom Plugins

87
website/content/docs/secrets/databases/rediselasticache.mdx Normal file
View File

@ -0,0 +1,87 @@
---
layout: docs
page_title: Redis ElastiCache - Database - Secrets Engines
description: |-
Redis ElastiCache is one of the supported plugins for the database secrets engine.
This plugin generates static credentials for existing managed roles.
---
# Redis ElastiCache Database Secrets Engine
Redis ElastiCache is one of the supported plugins for the database secrets engine.
This plugin generates static credentials for existing managed roles.
See the [database secrets engine](/docs/secrets/databases) docs for
more information about setting up the database secrets engine.
## Capabilities
| Plugin Name | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization |
| --------------------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |
| `redis-elasticache-database-plugin` | No | No | Yes | No |
## Setup
1. Enable the database secrets engine if it is not already enabled:
```shell-session
$ vault secrets enable database
Success! Enabled the database secrets engine at: database/
```
By default, the secrets engine will enable at the name of the engine. To
enable the secrets engine at a different path, use the `-path` argument.
1. Configure Vault with the proper plugin and connection configuration:
```shell-session
$ vault write database/config/my-redis-elasticache-cluster \
plugin_name="redis-elasticache-database-plugin" \
url="primary-endpoint.my-cluster.xxx.yyy.cache.amazonaws.com:6379" \
username="AKI***" \
password="ktriNYvULAWLzUmTGb***" \
allowed_roles="*"
```
~> **Note**: The username and password parameters are optional. If omitted, authentication falls back on the AWS credentials provider chain.
Using a [temporary credential](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) stored in the proper environment
variable is the preferred configuration method.
## Usage
After the secrets engine is configured, write static roles to enable generating credentials.
### Static roles
1. Configure a static role that maps a name in Vault to an existing Redis ElastiCache user.
```shell-session
$ vault write database/static-roles/my-static-role \
db_name="my-redis-elasticache-cluster" \
username="my-existing-redis-user" \
rotation_period=5m
Success! Data written to: database/static-roles/my-static-role
```
1. Retrieve the credentials from the `/static-creds` endpoint:
```shell-session
$ vault read database/static-creds/my-static-role
Key Value
--- -----
last_vault_rotation 2022-09-14T11:45:57.24715105-04:00
password GKdS6qY-UtVAMpcD9iuu
rotation_period 5m
ttl 4m48s
username my-existing-redis-user
```
~> **Note**: New passwords may take up-to a couple of minutes before ElastiCache has the chance to complete their configuration.
It is recommended to use a retry strategy when establishing new Redis ElastiCache connections. This may prevent errors when
trying to use a password that isn't yet live on the targeted ElastiCache cluster.
## API
The full list of configurable options can be seen in the [Redis ElastiCache Database Plugin API](/api-docs/secret/databases/rediselasticache) page.
For more information on the database secrets engine's HTTP API please see the [Database Secrets Engine API](/api-docs/secret/databases) page.

4
website/data/api-docs-nav-data.json
View File

@ -101,6 +101,10 @@
"title": "PostgreSQL", "title": "PostgreSQL",
"path": "secret/databases/postgresql" "path": "secret/databases/postgresql"
}, },
{
"title": "Redis ElastiCache",
"path": "secret/databases/rediselasticache"
},
{ {
"title": "Redshift", "title": "Redshift",
"path": "secret/databases/redshift" "path": "secret/databases/redshift"

4
website/data/docs-nav-data.json
View File

@ -996,6 +996,10 @@
"title": "PostgreSQL", "title": "PostgreSQL",
"path": "secrets/databases/postgresql" "path": "secrets/databases/postgresql"
}, },
{
"title": "Redis ElastiCache",
"path": "secrets/databases/rediselasticache"
},
{ {
"title": "Redshift", "title": "Redshift",
"path": "secrets/databases/redshift" "path": "secrets/databases/redshift"