HCP Vault Secrets Centralized secrets lifecycle management for developers. Learn More
Vault
Database credentials

Manage dynamic credential leases

  • 5min
  • |
  • Vault

In the dynamic secrets tutorial, you configured Vault to generate dynamic credentials for a PostgreSQL database. In this tutorial, you will learn how to manage the leases for these dynamic credentials.

If you are not familar with how to configure Vault for dynamic credentials, follow the database secrets engine tutorial before you begin.

Scenario

HashiCups configured Vault to generate dynamic credentials for their PostgreSQL database. Danielle and the development team successfully retrieved the credentials from Vault.

Oliver and the operations team need to manage the generated credentials to ensure credentials can be renewed or revoked as needed.

Prerequisites

This lab was tested on macOS using an x86_64 based and Apple silicon-based processors. You may also run this tutorial by clicking the Start interactive lab button.

To perform the tasks described in this tutorial, you need to have:

Set up the lab

  1. Clone the learn-vault-dynamic-credentials repository.

    $ git clone git@github.com:hashicorp-education/learn-vault-dynamic-credentials.git

  2. Change into the learn-vault-dynamic-credentials directory.

    $ cd learn-vault-dynamic-credentials

  3. Deploy the Vault and PostgreSQL containers.

    $ terraform -chdir=vault-dynamic-creds-docker/ init && \
  terraform -chdir=vault-dynamic-creds-docker/ apply -auto-approve

    Example output:

    Initializing the backend...
Initializing provider plugins...
- Finding kreuzwerker/docker versions matching "3.0.2"...
- Installing kreuzwerker/docker v3.0.2...
...snip...
Apply complete! Resources: 4 added, 0 changed, 0 destroyed.

Outputs:

POSTGRES_URL = "export TF_VAR_POSTGRES_URL=172.17.0.2:5432"
VAULT_ADDR = "export VAULT_ADDR=http://127.0.0.1:8200"
VAULT_TOKEN = "export VAULT_TOKEN=root"

  4. Copy the export command from the Terraform output and export the environment variables.

    Example:

    $ export VAULT_ADDR=http://127.0.0.1:8200 \
   VAULT_TOKEN=root \
   TF_VAR_POSTGRES_URL=172.17.0.2:5432

  5. Verify the PostgreSQL and Vault containers have started.

    $ docker ps -f name=learn --format "table {{.Names}}\t{{.Status}}"
NAMES            STATUS
learn-postgres   Up 4 minutes
learn-vault      Up 4 minutes

    Vault and PostgreSQL are running. Vault connects to PostgreSQL over the Docker bridge network.

  6. Apply the PostgreSQL configuration used in the dynamic secrets tutorial.

    $ terraform -chdir=vault-dynamic-creds-postgres/ init && \
  terraform -chdir=vault-dynamic-creds-postgres/ apply -auto-approve

    Example output:

    Initializing the backend...
Initializing provider plugins...
- Finding cyrilgdn/postgresql versions matching "1.25.0"...
- Installing cyrilgdn/postgresql v1.25.0...
- Installed cyrilgdn/postgresql v1.25.0 (self-signed, key ID 418F268A88A6D481)
...snip...
Plan: 2 to add, 0 to change, 0 to destroy.
postgresql_role.ro: Creating...
postgresql_grant.readonly_tables: Creating...
postgresql_role.ro: Creation complete after 0s [id=ro]
postgresql_grant.readonly_tables: Creation complete after 0s [id=ro_postgres_public_table]
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

  7. Apply the Vault configuration used in the dynamic secrets tutorial.

    $ terraform -chdir=vault-dynamic-creds-vault/ init && \
  terraform -chdir=vault-dynamic-creds-vault/ apply -auto-approve

    Example output:

    Initializing the backend...
Initializing provider plugins...
- Finding hashicorp/vault versions matching "4.5.0"...
...snip...
vault_database_secrets_mount.database: Creating...
vault_database_secrets_mount.database: Creation complete after 0s [id=database]
vault_database_secret_backend_role.readonly: Creating...
vault_database_secret_backend_role.readonly: Creation complete after 0s [id=database/roles/readonly]
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

    Vault and PostgreSQL are running and configured. You are ready to proceed with the tutorial.

Renew leases

(Persona: Operations)

The credentials are managed by the lease ID and remain valid for the lease duration (TTL), renewed up to the maximum TTO, or until revoked. Once revoked the credentials are no longer valid.

  1. Read the Vault readonly role to generate PostgreSQL credentials.

    $ vault read database/creds/readonly

Key                Value
---                -----
lease_id           database/creds/readonly/Vjq4WwktBSN9TScI3K7w9Qeh
lease_duration     768h
lease_renewable    true
password           nrrmnNrtc-n3PIHNl6s3
username           v-token-readonly-VfRreDXYcBVdArYs4FQp-1736976059

  2. List the existing leases.

    $ vault list sys/leases/lookup/database/creds/readonly

Keys
----
Vjq4WwktBSN9TScI3K7w9Qeh

    All valid leases for database credentials are displayed.

  3. Create a variable that stores the first lease ID.

    $ LEASE_ID=$(vault list -format=json sys/leases/lookup/database/creds/readonly | jq -r ".[0]")

  4. Renew the lease for the database credential by passing its lease ID.

    $ vault lease renew database/creds/readonly/$LEASE_ID

Key                Value
---                -----
lease_id           database/creds/readonly/Vjq4WwktBSN9TScI3K7w9Qeh
lease_duration     1h
lease_renewable    true

    The TTL of the renewed lease is now 1h.

Revoke leases

(Persona: Operations)

You can revoke leases using the lease ID or by specifying a path prefix to revoke all leases associated with the role.

  1. Revoke the lease without waiting for its expiration.

    $ vault lease revoke database/creds/readonly/$LEASE_ID
All revocation operations queued successfully!

  2. List the existing leases.

    $ vault list sys/leases/lookup/database/creds/readonly
No value found at sys/leases/lookup/database/creds/readonly/

    The lease is no longer valid and is not displayed.

  3. Read new credentials from the readonly database role.

    $ vault read database/creds/readonly
Key                Value
---                -----
lease_id           database/creds/readonly/P6tTTiWsR1fVCp0btLktU0Dm
lease_duration     1m
lease_renewable    true
password           A1a-pfgGk7Ptb0TxGBJI
username           v-token-readonly-9blxDY3dIKXsFMkv8kvH-1600278284

  4. Revoke all the leases with the prefix database/creds/readonly.

    $ vault lease revoke -prefix database/creds/readonly

    The prefix flag matches all valid leases with the path prefix of database/creds/readonly.

  5. List the existing leases.

    $ vault list sys/leases/lookup/database/creds/readonly
No value found at sys/leases/lookup/database/creds/readonly/

    You have revoked all the leases associated with this path.

Clean up

  1. Destroy the Terraform resources.

    $ terraform -chdir=vault-dynamic-creds-vault/ destroy -auto-approve && \
terraform -chdir=vault-dynamic-creds-postgres/ destroy -auto-approve && \
terraform -chdir=vault-dynamic-creds-docker/ destroy -auto-approve

  2. Unset the environment variables.

    $ unset VAULT_ADDR VAULT_TOKEN TF_VAR_POSTGRES_URL

Summary

In this tutorial, you learned how to manage the leases for dynamic credentials. You requested credentials from Vault, renewed the lease, and revoked the lease using both the lease ID and the path prefix.

References

Previous
Next