Using Postgres/MySQL/Mongo secret backend, how do you configure the access to multiple databases?
352 views
Skip to first unread message
Olivier DUPUY
Feb 14, 2017, 5:50:01 PM2/14/17
to Vault
I have MULTIPLE Postgres servers where I want to control the access using a SINGLE Vault instance.
how to load the Postgres module
$ vault mount postgresql
$ vault mount postgresql
then how to set the "super_user" (or so) credentials and URL
$ vault write postgresql/config/connection connection_url="postgresql://root:vaul...@vaulttest.ciuvljjni7uo.us-west-1.rds.amazonaws.com:5432/postgres"
then how to define a role
$ vault write postgresql/roles/readonly \
sql="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"
then how to create a user
$ vault read postgresql/creds/readonly
Fine but I want to configure multiple databases, each with multiple roles, all of this in a single Vault instance.
Is there a syntax for that? I see nothing obvious in the doc to "name" a database then use it creating the TTL setting or creating a role for this database
$ vault read postgresql/creds/readonly
Fine but I want to configure multiple databases, each with multiple roles, all of this in a single Vault instance.
Is there a syntax for that? I see nothing obvious in the doc to "name" a database then use it creating the TTL setting or creating a role for this database
I also want to be able to control the access to the different roles/databases based on some policy.
Can I do that?
My question is for Postgres but I did not find any clue on how to support it.
The documentation for the other database secret backends did not help either.
If you cannot do it, it seriously impairs the use of Vault with databases.
Installing multiple Vault instance is not really an option.
If you cannot do it, it seriously impairs the use of Vault with databases.
Installing multiple Vault instance is not really an option.
Thanks
Olivier
Olivier DUPUY
Feb 14, 2017, 5:55:17 PM2/14/17
to Vault
I think that I found a clue about how to secure the access to the Postgres roles that I can create
https://www.hashicorp.com/blog/codifying-vault-policies-and-configuration.html
but it does not answer how to support multiple Postgres instances
https://www.hashicorp.com/blog/codifying-vault-policies-and-configuration.html
but it does not answer how to support multiple Postgres instances
Brian Kassouf
Feb 14, 2017, 5:58:36 PM2/14/17
to vault...@googlegroups.com
Hi Oliver
You need to mount each postgres database at a different path.
For instance:
$ vault mount -path=postgresql1 postgresql
$ vault mount -path=postgresql2 postgresql
Then each step after mounting will use the specified mount path in the write/read paths
For instance:
$ vault write postgresql1/config/....
$ vault write postgresql2/config/....
Best,
Brian
On Tue, Feb 14, 2017 at 2:50 PM, Olivier DUPUY <odu...@hotmail.com> wrote:
I have MULTIPLE Postgres servers where I want to control the access using a SINGLE Vault instance.how to load the Postgres module
$ vault mount postgresql
then how to set the "super_user" (or so) credentials and URL
$ vault write postgresql/config/connection connection_url="postgresql://root:vaulttest@vaulttest.ciuvljjni7uo.us-west-1.rds.amazonaws.com:5432/postgres"
then how to define a role$ vault write postgresql/roles/readonly \sql="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"then how to create a user
$ vault read postgresql/creds/readonly
Fine but I want to configure multiple databases, each with multiple roles, all of this in a single Vault instance.
Is there a syntax for that? I see nothing obvious in the doc to "name" a database then use it creating the TTL setting or creating a role for this database
I also want to be able to control the access to the different roles/databases based on some policy.
Can I do that?
My question is for Postgres but I did not find any clue on how to support it.The documentation for the other database secret backends did not help either.
If you cannot do it, it seriously impairs the use of Vault with databases.
Installing multiple Vault instance is not really an option.
Thanks
Olivier
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/e5847019-e52f-4057-8a4a-0a077e03e6c7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Olivier DUPUY
Feb 15, 2017, 12:16:00 PM2/15/17
to Vault
It works perfectly.
Thanks Brian.
Thanks Brian.
Reply all
Reply to author
Forward
0 new messages