{"id":37151237,"url":"https://github.com/gitrgoliveira/vault-plugin-database-cmd","last_synced_at":"2026-01-14T17:52:06.894Z","repository":{"id":272257089,"uuid":"914908143","full_name":"gitrgoliveira/vault-plugin-database-cmd","owner":"gitrgoliveira","description":"A custom Vault database plugin designed to manage any type credential by executing system commands or scripts embedded in the container","archived":false,"fork":false,"pushed_at":"2025-11-27T12:07:35.000Z","size":221,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-11-28T18:22:03.181Z","etag":null,"topics":["database-access","hashicorp-vault","vault","vault-plugins"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gitrgoliveira.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-01-10T14:59:22.000Z","updated_at":"2025-11-27T12:07:39.000Z","dependencies_parsed_at":"2025-04-02T17:20:57.779Z","dependency_job_id":"a6ef231e-0c35-4c2d-bff6-91a5f1ce72b9","html_url":"https://github.com/gitrgoliveira/vault-plugin-database-cmd","commit_stats":null,"previous_names":["gitrgoliveira/vault-plugin-database-cmd"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/gitrgoliveira/vault-plugin-database-cmd","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitrgoliveira%2Fvault-plugin-database-cmd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitrgoliveira%2Fvault-plugin-database-cmd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitrgoliveira%2Fvault-plugin-database-cmd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitrgoliveira%2Fvault-plugin-database-cmd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gitrgoliveira","download_url":"https://codeload.github.com/gitrgoliveira/vault-plugin-database-cmd/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitrgoliveira%2Fvault-plugin-database-cmd/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28428963,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T16:38:47.836Z","status":"ssl_error","status_checked_at":"2026-01-14T16:34:59.695Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["database-access","hashicorp-vault","vault","vault-plugins"],"created_at":"2026-01-14T17:52:03.318Z","updated_at":"2026-01-14T17:52:06.843Z","avatar_url":"https://github.com/gitrgoliveira.png","language":"Go","readme":"# Vault Plugin for Universal Credential Management - `vault-plugin-database-cmd`\nThis repository contains a **custom Vault database plugin** designed to manage any type credential by executing system commands.\n\nThe ecosystem of applications and APIs that Vault needs to support is always growing and becoming more diverse, and DevOps engineers often find themselves having to create bespoke overprivileged pipelines to rotate secrets and store them in Vault KV for third-party party consumption.\n\nBy moving those rotation jobs into Vault you get:\n - **Secure Code Execution**: Utilizes Docker Rootless with gVisor for enhanced security.\n - **Controlled Access**: Only Vault administrators can enable, disable or update the plugin.\n - **Secure Secret Introduction**: Instant support by Vault Agent, Vault secrets operator, etc\n - **Automated Rotation Workflows**: Instant support for periodic password rotation or on a schedule\n - **Just-in-time Password Delivery**: Unique passwords and usernames can be generated on-demand, according to your policies.\n - **Root Credential Rotation**: Rotation of root credential to a secure and unknown value\n\n\u003e **Note:** For static usernames, if rotation is enabled, the plugin will return the previous password if it hasn't been rotated yet.\n\n\u003e [!CAUTION]\n\u003e **This plugin is dangerous if misconfigured!** Any 3rd-party plugin can be dangerous and should be run in rootless docker with gVisor. Due to the nature of what this plugin allows, its configuration and setup must be handled with care. It is your responsibility to ensure that the commands you run are safe and do not expose your system to security risks.\n\n## What can I do with this plugin?\n- Generate dynamic credentials for anything by executing custom commands for credential management\n- Migrate your current jobs/scripts into HashiCorp Vault by embedding the scripts and any other  binaries into the Dockerfile!\n\n## Preparation\nThis plugin has been tested using [Rootless Docker](https://docs.docker.com/engine/security/rootless/) running with [gVisor](https://gvisor.dev/). You can see examples of how to configure your Vault nodes in the following scripts - [setup_as_root.sh](setup_as_root.sh) and [setup_as_user.sh](setup_as_user.sh).\n\n\u003e **Note:**  For Rootless Docker, please ensure the `DOCKER_HOST` environment variable is configured to the user socket, e.g., `unix:///run/user/1000/docker.sock`.\n\nFor detailed registration and usage instructions, please check the `test` section in the [`Makefile`](Makefile).\n\n\n1. Register plugin runtime to work with Rootless Docker and gVisor:\n    ```sh\n\tvault plugin runtime register -type=container -rootless=true -oci_runtime=runsc runsc\n    ```\n\n2. Register the plugin as a `database` plugin, using semantic versioning:\n    ```sh\n\tvault plugin register \\\n\t\t-sha256=$(SHA256) \\\n\t\t-oci_image=$(DOCKER_IMAGE) \\\n\t\t-runtime=runsc \\\n\t\t-version=$(DOCKER_IMAGE_TAG) \\\n\t\tdatabase $(PLUGIN_NAME)\n    ```\n\n## Using the custom database plugin\n1. Enable the database backend:\n    ```sh\n    vault secrets enable -path=database-cmd database\n    ```\n\n2. Write the plugin root configuration. Username and password are mandatory for *password* credential type. Root rotation workflow uses the `UpdateUser` go function call, like all other user password rotations:\n\n    ```sh\n    vault write database-cmd/config/my-database \\\n\t\tplugin_name=\"$(PLUGIN_NAME)\" \\\n\t\tplugin_version=\"$(DOCKER_IMAGE_TAG)\" \\\n\t\tallowed_roles=\"*\" \\\n\t\tusername=\"mandatory\" \\\n\t\tpassword=\"mandatory\" \\\n\t\tcustom_field=\"anything\" \\\n\t\troot_rotation_statements=\"echo 'Root rotation statements'\" \\\n\t\troot_rotation_statements=\"echo 'Second line {{root_custom_field}}'\"\n    ```\n\u003e **Note 1:** To add more lines to the bash script, repeat the statement parameter.\n\u003e **Note 2:** To add further custom fields, you'll need to edit the code. If you'd like to use these in your scripts, then all you need to do is use something like `{{root_custom_field}}` in your script.\n\n### Optional Configuration Parameters\n\n#### Timeout Configuration\nThe plugin enforces a default timeout of **20 seconds** for all command executions. You can customize this during configuration:\n\n```sh\nvault write database-cmd/config/my-database \\\n    plugin_name=\"$(PLUGIN_NAME)\" \\\n    timeout=\"30s\" \\\n    ...\n```\n\nSupports standard Go duration formats: `\"5s\"`, `\"1m\"`, `\"90s\"`, etc. Minimum timeout is 1 second.\n\n\u003e **Note:** Commands exceeding the timeout will be terminated with a clear timeout error message.\n\n\n\n3. Create roles to manage credentials, for example:\n    *   New user on demand:\n    ```sh\n    vault write database-cmd/roles/dynamic-role \\\n\t\tdb_name=my-database \\\n\t\tcreation_statements=\"echo 'Dynamic creation statements'\" \\\n\t\tcreation_statements=\"ping -c3 www.google.com\" \\\n        default_ttl=\"1h\" \\\n        max_ttl=\"24h\"\n    ```\n\n    * Static user with a password rotation schedule. The same password will be returned until it reaches the rotation time or it's forced:\n    ```sh\n    vault write database-cmd/static-roles/static-role \\\n\t\tdb_name=my-database \\\n\t\tcredential_type=\"password\" \\\n\t\tusername=\"static-username\" \\\n\t\trotation_window=\"1h\" \\\n\t\tself_managed_password=\"true\" \\\n\t\trotation_schedule=\"0 * * * SAT\" \\\n\t\trotation_statements=\"echo 'Rotate static'\"\n    ```\n\n\n## Building your own\n1. Fork the repository.\n2. Edit the code.\n3. Run `vagrant up`.\n4. Go to `/vagrant` and run `make release`.\n\n### Testing\n1. Ensure the container image exists with `make build-container`\n2. Modify the `Makefile` `test` target with the Vault commands you need\n3. Run `make start` to launch Vault in development mode\n4. Run `make test` to register the plugin, enable it and run the defined test commands\n\n## License\n\nThis project is licensed under the Mozilla Public License 2.0. See the [LICENSE.md](LICENSE.md) file for details.\n\n## Acknowledgements\n\nSpecial thanks to my customers and the UK \u0026 Ireland Solutions Engineering Team for their valuable input.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgitrgoliveira%2Fvault-plugin-database-cmd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgitrgoliveira%2Fvault-plugin-database-cmd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgitrgoliveira%2Fvault-plugin-database-cmd/lists"}