Vault
Manage dynamic credential leases
In the dynamic secrets tutorial, you configured Vault to generate dynamic credentials for a PostgreSQL database. In this tutorial, you will learn how to manage the leases for these dynamic credentials.
If you are not familar with how to configure Vault for dynamic credentials, follow the database secrets engine tutorial before you begin.
Scenario
HashiCups configured Vault to generate dynamic credentials for their PostgreSQL database. Danielle and the development team successfully retrieved the credentials from Vault.
Oliver and the operations team need to manage the generated credentials to ensure credentials can be renewed or revoked as needed.
Prerequisites
This lab was tested on macOS using an x86_64 based and Apple silicon-based processors. You may also run this tutorial by clicking the Start interactive lab button.
To perform the tasks described in this tutorial, you need to have:
- Docker to run a Vault and PostgreSQL container.
- Vault binary installed.
- Git installed.
Set up the lab
Clone the
learn-vault-dynamic-credentialsrepository.$ git clone git@github.com:hashicorp-education/learn-vault-dynamic-credentials.gitChange into the
learn-vault-dynamic-credentialsdirectory.$ cd learn-vault-dynamic-credentialsDeploy the Vault and PostgreSQL containers.
$ terraform -chdir=vault-dynamic-creds-docker/ init && \ terraform -chdir=vault-dynamic-creds-docker/ apply -auto-approveExample output:
Initializing the backend... Initializing provider plugins... - Finding kreuzwerker/docker versions matching "3.0.2"... - Installing kreuzwerker/docker v3.0.2... ...snip... Apply complete! Resources: 4 added, 0 changed, 0 destroyed. Outputs: POSTGRES_URL = "export TF_VAR_POSTGRES_URL=172.17.0.2:5432" VAULT_ADDR = "export VAULT_ADDR=http://127.0.0.1:8200" VAULT_TOKEN = "export VAULT_TOKEN=root"Copy the export command from the Terraform output and export the environment variables.
Example:
$ export VAULT_ADDR=http://127.0.0.1:8200 \ VAULT_TOKEN=root \ TF_VAR_POSTGRES_URL=172.17.0.2:5432Verify the PostgreSQL and Vault containers have started.
$ docker ps -f name=learn --format "table {{.Names}}\t{{.Status}}" NAMES STATUS learn-postgres Up 4 minutes learn-vault Up 4 minutesVault and PostgreSQL are running. Vault connects to PostgreSQL over the Docker bridge network.
Apply the PostgreSQL configuration used in the dynamic secrets tutorial.
$ terraform -chdir=vault-dynamic-creds-postgres/ init && \ terraform -chdir=vault-dynamic-creds-postgres/ apply -auto-approveExample output:
Initializing the backend... Initializing provider plugins... - Finding cyrilgdn/postgresql versions matching "1.25.0"... - Installing cyrilgdn/postgresql v1.25.0... - Installed cyrilgdn/postgresql v1.25.0 (self-signed, key ID 418F268A88A6D481) ...snip... Plan: 2 to add, 0 to change, 0 to destroy. postgresql_role.ro: Creating... postgresql_grant.readonly_tables: Creating... postgresql_role.ro: Creation complete after 0s [id=ro] postgresql_grant.readonly_tables: Creation complete after 0s [id=ro_postgres_public_table] Apply complete! Resources: 2 added, 0 changed, 0 destroyed.Apply the Vault configuration used in the dynamic secrets tutorial.
$ terraform -chdir=vault-dynamic-creds-vault/ init && \ terraform -chdir=vault-dynamic-creds-vault/ apply -auto-approveExample output:
Initializing the backend... Initializing provider plugins... - Finding hashicorp/vault versions matching "4.5.0"... ...snip... vault_database_secrets_mount.database: Creating... vault_database_secrets_mount.database: Creation complete after 0s [id=database] vault_database_secret_backend_role.readonly: Creating... vault_database_secret_backend_role.readonly: Creation complete after 0s [id=database/roles/readonly] Apply complete! Resources: 2 added, 0 changed, 0 destroyed.Vault and PostgreSQL are running and configured. You are ready to proceed with the tutorial.
Renew leases
(Persona: Operations)
The credentials are managed by the lease ID and remain valid for the lease duration (TTL), renewed up to the maximum TTO, or until revoked. Once revoked the credentials are no longer valid.
Read the Vault
readonlyrole to generate PostgreSQL credentials.$ vault read database/creds/readonly Key Value --- ----- lease_id database/creds/readonly/Vjq4WwktBSN9TScI3K7w9Qeh lease_duration 768h lease_renewable true password nrrmnNrtc-n3PIHNl6s3 username v-token-readonly-VfRreDXYcBVdArYs4FQp-1736976059List the existing leases.
$ vault list sys/leases/lookup/database/creds/readonly Keys ---- Vjq4WwktBSN9TScI3K7w9QehAll valid leases for database credentials are displayed.
Create a variable that stores the first lease ID.
$ LEASE_ID=$(vault list -format=json sys/leases/lookup/database/creds/readonly | jq -r ".[0]")Renew the lease for the database credential by passing its lease ID.
$ vault lease renew database/creds/readonly/$LEASE_ID Key Value --- ----- lease_id database/creds/readonly/Vjq4WwktBSN9TScI3K7w9Qeh lease_duration 1h lease_renewable trueThe TTL of the renewed lease is now
1h.
Revoke leases
(Persona: Operations)
You can revoke leases using the lease ID or by specifying a path prefix to revoke all leases associated with the role.
Revoke the lease without waiting for its expiration.
$ vault lease revoke database/creds/readonly/$LEASE_ID All revocation operations queued successfully!List the existing leases.
$ vault list sys/leases/lookup/database/creds/readonly No value found at sys/leases/lookup/database/creds/readonly/The lease is no longer valid and is not displayed.
Read new credentials from the
readonlydatabase role.$ vault read database/creds/readonly Key Value --- ----- lease_id database/creds/readonly/P6tTTiWsR1fVCp0btLktU0Dm lease_duration 1m lease_renewable true password A1a-pfgGk7Ptb0TxGBJI username v-token-readonly-9blxDY3dIKXsFMkv8kvH-1600278284Revoke all the leases with the prefix
database/creds/readonly.$ vault lease revoke -prefix database/creds/readonlyThe
prefixflag matches all valid leases with the path prefix ofdatabase/creds/readonly.List the existing leases.
$ vault list sys/leases/lookup/database/creds/readonly No value found at sys/leases/lookup/database/creds/readonly/You have revoked all the leases associated with this path.
Clean up
Destroy the Terraform resources.
$ terraform -chdir=vault-dynamic-creds-vault/ destroy -auto-approve && \ terraform -chdir=vault-dynamic-creds-postgres/ destroy -auto-approve && \ terraform -chdir=vault-dynamic-creds-docker/ destroy -auto-approveUnset the environment variables.
$ unset VAULT_ADDR VAULT_TOKEN TF_VAR_POSTGRES_URL
Summary
In this tutorial, you learned how to manage the leases for dynamic credentials. You requested credentials from Vault, renewed the lease, and revoked the lease using both the lease ID and the path prefix.