An open API service indexing awesome lists of open source software.

https://github.com/andrefaria24/demo-vault-db-secrets-engine

A compact demo that shows how HashiCorp Vault's Database Secrets Engine can manage both static and dynamic credentials for Microsoft SQL Server and PostgreSQL
https://github.com/andrefaria24/demo-vault-db-secrets-engine

demo dynamic-secrets hashicorp mssql postgresql powershell tsql vault

Last synced: 2 months ago
JSON representation

A compact demo that shows how HashiCorp Vault's Database Secrets Engine can manage both static and dynamic credentials for Microsoft SQL Server and PostgreSQL

Awesome Lists containing this project

README

          

# Vault Database Secrets Engine Demo

A compact demo that shows how HashiCorp Vault's Database Secrets Engine can manage both static and dynamic credentials
for Microsoft SQL Server and PostgreSQL.

The repo includes a Docker Compose file for local databases and a sample
`setup.sql` script to initialize the SQL Server databases and logins.

## Table of Contents
- Prerequisites
- Demo Setup
- Manual Vault configuration examples (static & dynamic roles)
- Cleanup

---

## Prerequisites
- Docker (to run database containers)
- HashiCorp Vault CLI (tested with Vault v1.20.x)
- `psql` client for PostgreSQL testing
- `sqlcmd` client for running T-SQL scripts against SQL Server
- (Optional) SQL Server Management Studio for interactive inspection
- PowerShell 7.x is recommended for wrapper scripts in this repo (or adapt the commands for your shell)

---

## Demo Setup
These steps get the demo running locally with minimal friction.

1. Clone the repository and change into it:

```powershell
git clone
cd vault-db-secrets-engine-demo
```

2. Start the database containers (this repo's `docker-compose.yml` will bring up SQL Server and PostgreSQL):

```powershell
docker compose up -d
```

3. Initialize the SQL Server objects securely.

- Open `setup.sql` in SSMS (Query > SQLCMD Mode) and replace placeholders like `` with secure values provided at runtime.

4. Start a Vault dev server for testing:

```powershell
vault server -dev
```

5. Configure Vault environment variables for the CLI:

```powershell
$env:VAULT_ADDR = 'http://127.0.0.1:8200'
$env:VAULT_TOKEN = ''
```

6. Enable the database secrets engine:

```powershell
vault secrets enable database
```

### MSSQL — Static credentials
Configure the database connection in Vault (static credentials example):

```powershell
vault write database/config/mssql_static `
plugin_name=mssql-database-plugin `
connection_url='sqlserver://{{username}}:{{password}}@localhost:1433' `
allowed_roles="mssql_static" `
username="vault_login" `
password=""
```

Create a static role mapping (long rotation period used in demo to emulate static creds):

```powershell
vault write database/static-roles/mssql_static `
db_name=mssql_static `
username="vault_static" `
rotation_statements="ALTER LOGIN [{{name}}] WITH PASSWORD = '{{password}}';" `
rotation_period="876000h"
```

Read the credential (returns username/password):

```powershell
vault read database/static-creds/mssql_static
```

### MSSQL — Dynamic credentials
Configure connection (use a user with privilege to create logins/users):

```powershell
vault write database/config/mssql_dynamic `
plugin_name=mssql-database-plugin `
connection_url='sqlserver://{{username}}:{{password}}@localhost:1433' `
allowed_roles="mssql_dynamic" `
username="vault_login" `
password=""
```

Role that creates a temporary login and user with SELECT privileges:

```powershell
vault write database/roles/mssql_dynamic `
db_name=mssql_dynamic `
creation_statements="CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}'; USE [test_db_2]; CREATE USER [{{name}}] FOR LOGIN [{{name}}]; GRANT SELECT ON SCHEMA::dbo TO [{{name}}];" `
revocation_statements="DROP USER IF EXISTS [{{name}}]; DROP LOGIN IF EXISTS [{{name}}];" `
default_ttl="1h" `
max_ttl="24h"
```

Generate dynamic credentials:

```powershell
vault read database/creds/mssql_dynamic
```

### PostgreSQL — Dynamic credentials
Configure connection to PostgreSQL (use a privileged account):

```powershell
vault write database/config/postgresql_dynamic `
plugin_name="postgresql-database-plugin" `
allowed_roles="postgresql_dynamic" `
connection_url="postgresql://{{username}}:{{password}}@localhost:5432/test_db_1" `
username="vault_user" `
password="" `
password_authentication="scram-sha-256"
```

Role that creates a temporary PostgreSQL role with SELECT privileges:

```powershell
vault write database/roles/postgresql_dynamic `
db_name="postgresql_dynamic" `
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" `
default_ttl="1h" `
max_ttl="24h"
```

Generate a credential and connect using `psql`:

```powershell
$creds = vault read -format=json database/creds/postgresql_dynamic | ConvertFrom-Json
psql -h localhost -p 5432 -U $creds.data.username -d test_db_1
```

---

## Cleanup
- Stop and remove containers:

```powershell
docker compose down -v
```

- Remove any generated logins/users you created during the demo (use SSMS or `sqlcmd` to run cleanup statements).