luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/content/docs/secrets/databases/rediselasticache.mdx
Max Coulombe 709c1bebf6
+ added Redis ElastiCache documentation (#17133) 
* added Redis ElastiCache documentation
2022-09-19 10:26:49 -04:00

88 lines
3.5 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: Redis ElastiCache - Database - Secrets Engines
description: |-
Redis ElastiCache is one of the supported plugins for the database secrets engine.
This plugin generates static credentials for existing managed roles.
---
# Redis ElastiCache Database Secrets Engine
Redis ElastiCache is one of the supported plugins for the database secrets engine.
This plugin generates static credentials for existing managed roles.
See the [database secrets engine](/docs/secrets/databases) docs for
more information about setting up the database secrets engine.
## Capabilities
| Plugin Name | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization |
| --------------------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |
| `redis-elasticache-database-plugin` | No | No | Yes | No |
## Setup
1. Enable the database secrets engine if it is not already enabled:
```shell-session
$ vault secrets enable database
Success! Enabled the database secrets engine at: database/
```
By default, the secrets engine will enable at the name of the engine. To
enable the secrets engine at a different path, use the `-path` argument.
1. Configure Vault with the proper plugin and connection configuration:
```shell-session
$ vault write database/config/my-redis-elasticache-cluster \
plugin_name="redis-elasticache-database-plugin" \
url="primary-endpoint.my-cluster.xxx.yyy.cache.amazonaws.com:6379" \
username="AKI***" \
password="ktriNYvULAWLzUmTGb***" \
allowed_roles="*"
```
~> **Note**: The username and password parameters are optional. If omitted, authentication falls back on the AWS credentials provider chain.
Using a [temporary credential](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) stored in the proper environment
variable is the preferred configuration method.
## Usage
After the secrets engine is configured, write static roles to enable generating credentials.
### Static roles
1. Configure a static role that maps a name in Vault to an existing Redis ElastiCache user.
```shell-session
$ vault write database/static-roles/my-static-role \
db_name="my-redis-elasticache-cluster" \
username="my-existing-redis-user" \
rotation_period=5m
Success! Data written to: database/static-roles/my-static-role
```
1. Retrieve the credentials from the `/static-creds` endpoint:
```shell-session
$ vault read database/static-creds/my-static-role
Key Value
--- -----
last_vault_rotation 2022-09-14T11:45:57.24715105-04:00
password GKdS6qY-UtVAMpcD9iuu
rotation_period 5m
ttl 4m48s
username my-existing-redis-user
```
~> **Note**: New passwords may take up-to a couple of minutes before ElastiCache has the chance to complete their configuration.
It is recommended to use a retry strategy when establishing new Redis ElastiCache connections. This may prevent errors when
trying to use a password that isn't yet live on the targeted ElastiCache cluster.
## API
The full list of configurable options can be seen in the [Redis ElastiCache Database Plugin API](/api-docs/secret/databases/rediselasticache) page.
For more information on the database secrets engine's HTTP API please see the [Database Secrets Engine API](/api-docs/secret/databases) page.
Reference in a new issue View git blame Copy permalink