{"id":18303119,"url":"https://github.com/monzo/vault-plugin-database-k8s-controller","last_synced_at":"2026-03-17T23:06:26.723Z","repository":{"id":78419165,"uuid":"196085128","full_name":"monzo/vault-plugin-database-k8s-controller","owner":"monzo","description":"A fork of Vault's database credential plugin allowing the use of annotations on service accounts as parameters in statements","archived":false,"fork":false,"pushed_at":"2023-11-10T00:59:44.000Z","size":35162,"stargazers_count":7,"open_issues_count":3,"forks_count":5,"subscribers_count":73,"default_branch":"master","last_synced_at":"2025-04-05T14:35:31.562Z","etag":null,"topics":["cassandra","kubernetes","vault"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/monzo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-07-09T21:16:54.000Z","updated_at":"2020-10-13T16:30:16.000Z","dependencies_parsed_at":null,"dependency_job_id":"95df754b-09a2-4d6d-9e98-1b7d00d1aadd","html_url":"https://github.com/monzo/vault-plugin-database-k8s-controller","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/monzo/vault-plugin-database-k8s-controller","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monzo%2Fvault-plugin-database-k8s-controller","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monzo%2Fvault-plugin-database-k8s-controller/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monzo%2Fvault-plugin-database-k8s-controller/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monzo%2Fvault-plugin-database-k8s-controller/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/monzo","download_url":"https://codeload.github.com/monzo/vault-plugin-database-k8s-controller/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monzo%2Fvault-plugin-database-k8s-controller/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30635156,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-17T22:38:22.569Z","status":"ssl_error","status_checked_at":"2026-03-17T22:38:11.804Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cassandra","kubernetes","vault"],"created_at":"2024-11-05T15:24:16.124Z","updated_at":"2026-03-17T23:06:26.705Z","avatar_url":"https://github.com/monzo.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vault-plugin-database-k8s-controller\nA fork of Vault's database credential plugin allowing the use of an annotation on service accounts to dynamically\nspecify user creation statements. Essentially, you can have many virtual 'roles' which each have tightly scoped\ndatabase user creation statements, where the roles are in fact defined in Kubernetes. At Monzo we use this to allow\nfor hundreds of Cassandra clients which each are allowed access to a single independent keyspace. Vault is not aware\nof individual services; simply logging in with your Kubernetes service account token is enough to get permission to\nissue the correct database credentials.\n\nNon-builtin database plugins are not supported, as sadly custom plugins cannot call out to other custom plugins.\nHowever, all of Vault's builtin database plugins are bundled into this binary and should work as normal.\n\nCurrently based on https://github.com/hashicorp/vault/tree/v1.3.0/builtin/logical/database\n\nTo rebase:\n```bash\nmake rebase\n```\n\n## Instructions\n\nThis plugin differs from the default database plugin only if kubernetes config is provided\n```bash\n# if your plugin is registered as database-k8s\nvault secrets enable -path=database -plugin-name=database-k8s database-k8s\nvault write database/kubeconfig kubernetes_host=https://127.0.0.1 kubernetes_ca_cert=@cert jwt=@jwt\n```\n\nIf this is provided, the plugin will attempt to maintain an in memory cache of all\nservice accounts in Kubernetes. If any service accounts contain an annotation\n`monzo.com/keyspace`, the mapping from service account name to the annotation is also\nstored in Vault. This is so that the mapping can be used before the cache is built from\nthe k8s API.\n\nThe purpose of this is to interpolate this annotation into any creation statements of a role,\nto create essentially a dynamic role for every service account. If you provide a role named\nlike `k8s_rw_s-ledger_default` *and this role does not explicitly exist* then instead the\nplugin will look up the concrete role named `rw`, and will look up the service account\n`s-ledger` in the namespace `default`.\n\nIt will then replace all instances of `{{annotation}}` in the creation statements of\nthe concrete `rw` role with the value of the annotation on that service account.\n\nYou can also set an annotation `monzo.com/cluster` which allows you to override the db name\nof the concrete `rw` role with the value of the annotation.\n\nAnnotation keys can be overridden with the `kubeconfig` endpoint, \nusing `keyspace_annotation` and `db_name_annotation`.\n\nThe role names are designed such that they can support a vault policy as follows:\n\n```hcl\npath \"database/creds/k8s_rw_{{identity.entity.aliases.kubernetes.metadata.service_account_name}}_{{identity.entity.aliases.kubernetes.metadata.service_account_namespace}}\"\n{\n  capabilities = [\"read\"]\n}\n```\n\nThe role name is used for these parameters so that the plugin has the same API as its \nupstream.\n\n## Example\n\n```bash\n$ vault write database/roles/rw \\\n    db_name=my-cassandra-database \\\n    creation_statements=\"CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER;\" \\\n    creation_statements=\"GRANT ALL PERMISSIONS ON KEYSPACE \\\"{{annotation}}\\\" TO {{username}};\" \\\n    default_ttl=\"1h\" \\\n    max_ttl=\"24h\"\nSuccess! Data written to: database/roles/rw\n\nkubectl create serviceaccount s-ledger\nkubectl annotate serviceaccount s-ledger monzo.com/keyspace='ledger'\n\n$ vault read database/roles/k8s_rw_s-ledger_default\nKey                      Value\n---                      -----\ncreation_statements      [CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER; GRANT ALL PERMISSIONS ON KEYSPACE \"ledger\" TO {{username}};]\ndb_name                  my-cassandra-database\ndefault_ttl              1h\nmax_ttl                  24h\nrenew_statements         []\nrevocation_statements    []\nrollback_statements      []\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmonzo%2Fvault-plugin-database-k8s-controller","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmonzo%2Fvault-plugin-database-k8s-controller","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmonzo%2Fvault-plugin-database-k8s-controller/lists"}