// , Canonical List of Dynamic Secrets Support

54 views
Skip to first unread message

Nathan Basanese

unread,
May 16, 2018, 1:01:52 PM5/16/18
to Vault
  // , I've looked through the documentation for Secrets Engines, but I haven't found a way to tell which of these Secrets Engines support the "Dynamic Secrets" feature. 

I assume all of the DB Secrets Engines support Dynamic Secrets. 

But as for the rest of the Secrets Engines, is there a quick way to tell which of them support Dynamic Secrets? 

I guess I can just run the API against them to test it out, but it might be easier to have this in a document or table. Perhaps I'm missing something in the docs.

Becca Petrin

unread,
May 17, 2018, 2:22:18 PM5/17/18
to Vault
Hi Nathan,

That's a great question! You're right, there's no canonical list of dynamic secret engines. The closest thing is probably the documentation here: https://www.vaultproject.io/docs/secrets/databases/index.html. When you click into each database, they tend to state right at the beginning that they generate secrets dynamically.

I hope that helps.

-Becca

Nate B

unread,
May 17, 2018, 3:18:57 PM5/17/18
to vault...@googlegroups.com
  // , That helps a little, since I that covers Vault Database Secrets Engines. 

But what about the other Secrets Engines? 

I think most people come to Vault with a specific set of applications in mind, but sometimes, especially for wide ranging corporate deployments, it's good to see all the support for a feature at a glance. 

Let me put it this way: 

**Are there any of the Secrets Engines which _don't_ support generating Dynamic Credentials?**

It looks like all of the Secrets Engines support this. Maybe that's just part of a Secrets Engine by definition.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/q37mKiyc5R4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7592fd42-daf8-41b7-b075-b803d44ce292%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Justin DynamicD

unread,
May 17, 2018, 5:16:59 PM5/17/18
to Vault
Because of the "secret" back-end existing as a static K/V store, it's inferred that all other backends would be dynamic in nature as it makes little sense to use a custom backend for a static value you could just use the secrets backend.  

I'm all for document clarification, but honestly I'd be surprised if I were to install a secrets backend and find out it was just static entries.

Joel Thompson

unread,
May 18, 2018, 12:21:00 AM5/18/18
to vault...@googlegroups.com
Generally agree with Justin, but there are a couple other special-purpose backends as well that don't neatly fit into the dynamic secret model:

* Transit: it's crypto as a service with policies on encryption/decryption/signing/verification, rather than storing and distributing secrets
* Cubbyhole: it's essentially a special-purpose "secret" backend.

--Joel

You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/1d2d3352-98a6-49c4-9206-a54e0d29de2e%40googlegroups.com.

Nathan Basanese

unread,
May 18, 2018, 1:38:03 PM5/18/18
to Vault
  // , Well, I made a list anyway, although the preceding discussion seems to show that it's not needed: 

Secrets engines (Vault Integrations) supporting Dynamic Secrets:

 

AWS (generates AWS access credentials dynamically based on IAM policies)

 

Consul (generates privileged Consul API tokens dynamically based on Consul ACL policies)

 

Cassandra (generates database credentials dynamically based on configured roles for the Cassandra database)

 

HANA (generates database credentials dynamically based on configured roles for the HANA database)

 

MongoDB (generates database credentials dynamically based on configured roles for the MongoDB database)

 

MSSQL (generates database credentials dynamically based on configured roles for the MSSQL database)

 

MySQL/MariaDB Database Secrets Engine (generates database credentials dynamically based on configured roles for the MySQL database)

 

PostgreSQL (generates database credentials dynamically based on configured roles for the PostgreSQL database)

 

Oracle (generates database credentials dynamically based on configured roles for the Oracle database)

 

Custom DB (generates database credentials dynamically based on configured roles for the database. Requires writing/releasing custom code)

 

GCP (generates Google Cloud service account keys and OAuth tokens dynamically based on IAM policies)

 

Nomad (generates Nomad API tokens dynamically based on pre-existing Nomad ACL policies)

 

PKI (generates dynamic X.509 certificates)

 

RabbitMQ (generates user credentials dynamically based on configured permissions and virtual hosts)

 

SSH (Vault used to generate SSH keys, but that’s deprecated, for good reasons. But now, using Vault's powerful CA capabilities and functionality built into OpenSSH, clients can now SSH into target hosts using their own locally generated SSH keys, which Vault signs on demand.)

 

SSH OTP (generates a One-Time Password every time a client wants to SSH into a remote host)

 

TOTP (generates time-based credentials according to the TOTP standard)

Reply all
Reply to author
Forward
0 new messages