PostgreSQL secret backend - database/permissions question

298 views
Skip to first unread message

Lars Sommer

unread,
Mar 20, 2017, 5:51:01 PM3/20/17
to Vault
Hello,

   I have the following scenario:

  1. RDS instance is created in PostgreSQL
    1. Database created: "example_app"
  2. Vault connection string (written in ruby) for PostgreSQL RDS instance:
    1. 'postgresql' => "postgresql://#{ds_username}:#{ds_password}@#{ds_host}:#{datastore_ports[ds_engine]}/#{ds_database}"
  3. PostgreSQL for granting access
    1.  'postgresql' => "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}';" \ "GRANT #{privileges} ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"
This is failing with "pq: permission denied for relation schema_migrations"

So in summary I want to be able to use my root psql account to create a user on the instance and then grant that user full access to the database that is tied to that application, and I am struggling to come up with the SQL to do that. In MySQL I had an easy time of this. Not so in PostgreSQL.

I believe that outside of Vault I'd simply use two separate connection strings: one to create the user and the other to modify the schema permissions of the other database, but I am unsure how to accomplish this with a single connection string. 

Lars Sommer

unread,
Mar 21, 2017, 9:05:50 PM3/21/17
to vault...@googlegroups.com
There's gotta be some other human who is using Vault to dynamically create Postgres credentials to be used on a database other than 'postgres'.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/15d9zSQbldA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/dfedf076-587d-4eba-8fd3-82be46403091%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Shriharsha P

unread,
Jun 29, 2018, 7:13:31 AM6/29/18
to Vault
Facing the same issue.

Lars,
Could you get this resolved?

Daniel Scott

unread,
Jun 29, 2018, 7:26:17 AM6/29/18
to Vault
Reply all
Reply to author
Forward
0 new messages