database secrets engine needs documentation & design alignment

[drewmullen]

hi @Dudesons thanks for the PR! I'm looking forward to this feature. Can you please look into providing docs for the new secret engine?

also, all secret engines should accept a mount_point variable with a sensible default so the vault path can be adjusted if necessary done

[PeteBoyRocket]

Are there any examples for doing the equivalent of this in the meantime? I am not clear how to do this https://www.vaultproject.io/docs/secrets/databases/mssql

$ vault write database/config/my-mssql-database \
    plugin_name=mssql-database-plugin \
    connection_url='sqlserver:https://{{username}}:{{password}}@localhost:1433' \
    allowed_roles="my-role" \
    username="vaultuser" \
    password="yourStrong(!)Password"

[Vishesh-Gupta]

Hey @jeffwecan, is there any update on this? I want to use the database secrets engine with HVAC. Could you provide some documentation for this?

[jeffwecan]

@Vishesh-Gupta Sorry, this sort of expanded documentation is still outstanding. I'm looking into some general maintenance and cutting a new release over the next week or so and I'll try to revisit this issue as part of that though!

[Vishesh-Gupta]

@jeffwecan I'd be happy to help on different parts of HVAC since I extensively use and work with Vault at my work. Let me know if you need help and I'd be happy to talk about it

[jeffwecan]

@Vishesh-Gupta: Great! If you're interested in helping with some of this repository's maintenance beyond general documentation / code contributions, feel free to shoot me an email at [email protected] and we can chat about it more. 😄

[jsp-hashicorp]

Hope this helps for Database secret engine doc.

For Database Secret Engine - Dynamic Secret

Source link : https://github.com/hvac/hvac/blob/main/hvac/api/secrets_engines/database.py

resp3 = client.secrets.database.generate_credentials(
name = 'dynamic-role',
mount_point = 'database',
)
print(f'Dynamic Secret - Username: "{resp3["data"]["username"]}", Password:"{resp3["data"]["password"]}"')

For Database Secret Engine - Static Role

Source link : https://github.com/hvac/hvac/blob/main/hvac/api/secrets_engines/database.py

resp4 = client.secrets.database.get_static_credentials(
name = 'static-role',
mount_point = 'database',
)
print(f'Static Secret - Username: "{resp4["data"]["username"]}", Password:"{resp4["data"]["password"]}"')

[amiewei]

hello :) i've been looking at dynamic secrets and can work on documenting this.

I've just started trying out the different dynamic secrets methods that's already in the code. I'm testing it against a local postgres db and can document the code snippets as i go. I know there are many db plugins and each of them have their own nuances, but i'm thinking for the documentation, i could provide the code examples for postgres and reference the vault documentation for details to update on specific plugins - https://developer.hashicorp.com/vault/docs/secrets/databases#database-capabilities

Let me know if this sounds like a decent approach and ill get started! would appreciate an additional set of eyes to look over. Ill prob start with a few methods around configuring the connection, roles first.

[briantist]

Hi @amiewei , welcome! This sounds like a good approach to me, looking forward to it

[briantist]

Resolved by #1036