https://github.com/andrefaria24/demo-vault-db-secrets-engine
A compact demo that shows how HashiCorp Vault's Database Secrets Engine can manage both static and dynamic credentials for Microsoft SQL Server and PostgreSQL
https://github.com/andrefaria24/demo-vault-db-secrets-engine
demo dynamic-secrets hashicorp mssql postgresql powershell tsql vault
Last synced: 2 months ago
JSON representation
A compact demo that shows how HashiCorp Vault's Database Secrets Engine can manage both static and dynamic credentials for Microsoft SQL Server and PostgreSQL
- Host: GitHub
- URL: https://github.com/andrefaria24/demo-vault-db-secrets-engine
- Owner: andrefaria24
- Created: 2025-10-03T18:47:01.000Z (9 months ago)
- Default Branch: main
- Last Pushed: 2025-12-16T19:09:13.000Z (7 months ago)
- Last Synced: 2026-04-12T02:36:29.496Z (3 months ago)
- Topics: demo, dynamic-secrets, hashicorp, mssql, postgresql, powershell, tsql, vault
- Language: TSQL
- Homepage:
- Size: 7.81 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Vault Database Secrets Engine Demo
A compact demo that shows how HashiCorp Vault's Database Secrets Engine can manage both static and dynamic credentials
for Microsoft SQL Server and PostgreSQL.
The repo includes a Docker Compose file for local databases and a sample
`setup.sql` script to initialize the SQL Server databases and logins.
## Table of Contents
- Prerequisites
- Demo Setup
- Manual Vault configuration examples (static & dynamic roles)
- Cleanup
---
## Prerequisites
- Docker (to run database containers)
- HashiCorp Vault CLI (tested with Vault v1.20.x)
- `psql` client for PostgreSQL testing
- `sqlcmd` client for running T-SQL scripts against SQL Server
- (Optional) SQL Server Management Studio for interactive inspection
- PowerShell 7.x is recommended for wrapper scripts in this repo (or adapt the commands for your shell)
---
## Demo Setup
These steps get the demo running locally with minimal friction.
1. Clone the repository and change into it:
```powershell
git clone
cd vault-db-secrets-engine-demo
```
2. Start the database containers (this repo's `docker-compose.yml` will bring up SQL Server and PostgreSQL):
```powershell
docker compose up -d
```
3. Initialize the SQL Server objects securely.
- Open `setup.sql` in SSMS (Query > SQLCMD Mode) and replace placeholders like `` with secure values provided at runtime.
4. Start a Vault dev server for testing:
```powershell
vault server -dev
```
5. Configure Vault environment variables for the CLI:
```powershell
$env:VAULT_ADDR = 'http://127.0.0.1:8200'
$env:VAULT_TOKEN = ''
```
6. Enable the database secrets engine:
```powershell
vault secrets enable database
```
### MSSQL — Static credentials
Configure the database connection in Vault (static credentials example):
```powershell
vault write database/config/mssql_static `
plugin_name=mssql-database-plugin `
connection_url='sqlserver://{{username}}:{{password}}@localhost:1433' `
allowed_roles="mssql_static" `
username="vault_login" `
password=""
```
Create a static role mapping (long rotation period used in demo to emulate static creds):
```powershell
vault write database/static-roles/mssql_static `
db_name=mssql_static `
username="vault_static" `
rotation_statements="ALTER LOGIN [{{name}}] WITH PASSWORD = '{{password}}';" `
rotation_period="876000h"
```
Read the credential (returns username/password):
```powershell
vault read database/static-creds/mssql_static
```
### MSSQL — Dynamic credentials
Configure connection (use a user with privilege to create logins/users):
```powershell
vault write database/config/mssql_dynamic `
plugin_name=mssql-database-plugin `
connection_url='sqlserver://{{username}}:{{password}}@localhost:1433' `
allowed_roles="mssql_dynamic" `
username="vault_login" `
password=""
```
Role that creates a temporary login and user with SELECT privileges:
```powershell
vault write database/roles/mssql_dynamic `
db_name=mssql_dynamic `
creation_statements="CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}'; USE [test_db_2]; CREATE USER [{{name}}] FOR LOGIN [{{name}}]; GRANT SELECT ON SCHEMA::dbo TO [{{name}}];" `
revocation_statements="DROP USER IF EXISTS [{{name}}]; DROP LOGIN IF EXISTS [{{name}}];" `
default_ttl="1h" `
max_ttl="24h"
```
Generate dynamic credentials:
```powershell
vault read database/creds/mssql_dynamic
```
### PostgreSQL — Dynamic credentials
Configure connection to PostgreSQL (use a privileged account):
```powershell
vault write database/config/postgresql_dynamic `
plugin_name="postgresql-database-plugin" `
allowed_roles="postgresql_dynamic" `
connection_url="postgresql://{{username}}:{{password}}@localhost:5432/test_db_1" `
username="vault_user" `
password="" `
password_authentication="scram-sha-256"
```
Role that creates a temporary PostgreSQL role with SELECT privileges:
```powershell
vault write database/roles/postgresql_dynamic `
db_name="postgresql_dynamic" `
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" `
default_ttl="1h" `
max_ttl="24h"
```
Generate a credential and connect using `psql`:
```powershell
$creds = vault read -format=json database/creds/postgresql_dynamic | ConvertFrom-Json
psql -h localhost -p 5432 -U $creds.data.username -d test_db_1
```
---
## Cleanup
- Stop and remove containers:
```powershell
docker compose down -v
```
- Remove any generated logins/users you created during the demo (use SSMS or `sqlcmd` to run cleanup statements).