luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/content/docs/secrets/databases/rediselasticache.mdx
Ashlee M Boyer f3df55ad58
docs: Migrate link formats (#18696) 
* Adding check-legacy-links-format workflow

* Adding test-link-rewrites workflow

* Updating docs-content-check-legacy-links-format hash

* Migrating links to new format

Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com>
2023-01-25 16:12:15 -08:00

112 lines
4.2 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: Redis ElastiCache - Database - Secrets Engines
description: |-
Redis ElastiCache is one of the supported plugins for the database secrets engine.
This plugin generates static credentials for existing managed roles.
---
# Redis ElastiCache Database Secrets Engine
Redis ElastiCache is one of the supported plugins for the database secrets engine.
This plugin generates static credentials for existing managed roles.
See the [database secrets engine](/vault/docs/secrets/databases) docs for
more information about setting up the database secrets engine.
## Capabilities
| Plugin Name | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization |
| --------------------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |
| `redis-elasticache-database-plugin` | No | No | Yes | No |
## Setup
1. Enable the database secrets engine if it is not already enabled:
```shell-session
$ vault secrets enable database
Success! Enabled the database secrets engine at: database/
```
By default, the secrets engine will enable at the name of the engine. To
enable the secrets engine at a different path, use the `-path` argument.
1. Configure Vault with the proper plugin and connection configuration:
```shell-session
$ vault write database/config/my-redis-elasticache-cluster \
plugin_name="redis-elasticache-database-plugin" \
url="primary-endpoint.my-cluster.xxx.yyy.cache.amazonaws.com:6379" \
access_key_id="AKI***" \
secret_access_key="ktriNYvULAWLzUmTGb***" \
region=us-east-1 \
allowed_roles="*"
```
~> **Note**: The `access_key_id`, `secret_access_key` and `region` parameters are optional. If omitted, authentication falls back
on the AWS credentials provider chain.
~> **Deprecated**: The `username` & `password` parameters are deprecated but supported for backward compatibility. They are replaced
by the equivalent `access_key_id` and `secret_access_key` parameters respectively.
The Redis ElastiCache secrets engine must use AWS credentials that have sufficient permissions to manage ElastiCache users.
This IAM policy sample can be used as an example. Note that &lt;region&gt; and &lt;account-id&gt;
must correspond to your own environment.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"elasticache:ModifyUser",
"elasticache:DescribeUsers"
],
"Resource": "arn:aws:elasticache:<region>:<account-id>:user:*"
}
]
}
```
## Usage
After the secrets engine is configured, write static roles to enable generating credentials.
### Static roles
1. Configure a static role that maps a name in Vault to an existing Redis ElastiCache user.
```shell-session
$ vault write database/static-roles/my-static-role \
db_name="my-redis-elasticache-cluster" \
username="my-existing-redis-user" \
rotation_period=5m
Success! Data written to: database/static-roles/my-static-role
```
1. Retrieve the credentials from the `/static-creds` endpoint:
```shell-session
$ vault read database/static-creds/my-static-role
Key Value
--- -----
last_vault_rotation 2022-09-14T11:45:57.24715105-04:00
password GKdS6qY-UtVAMpcD9iuu
rotation_period 5m
ttl 4m48s
username my-existing-redis-user
```
~> **Note**: New passwords may take up-to a couple of minutes before ElastiCache has the chance to complete their configuration.
It is recommended to use a retry strategy when establishing new Redis ElastiCache connections. This may prevent errors when
trying to use a password that isn't yet live on the targeted ElastiCache cluster.
## API
The full list of configurable options can be seen in the [Redis ElastiCache Database Plugin API](/vault/api-docs/secret/databases/rediselasticache) page.
For more information on the database secrets engine's HTTP API please see the [Database Secrets Engine API](/vault/api-docs/secret/databases) page.
Reference in a new issue View git blame Copy permalink