https://github.com/night-crawler/vaultpost
Using Vault to generate short lifetime postgresql creds for Django
https://github.com/night-crawler/vaultpost
django django-database vault
Last synced: 4 months ago
JSON representation
Using Vault to generate short lifetime postgresql creds for Django
- Host: GitHub
- URL: https://github.com/night-crawler/vaultpost
- Owner: night-crawler
- Created: 2017-04-01T15:59:28.000Z (over 8 years ago)
- Default Branch: master
- Last Pushed: 2017-04-01T15:59:35.000Z (over 8 years ago)
- Last Synced: 2025-01-03T18:21:55.722Z (6 months ago)
- Topics: django, django-database, vault
- Language: Python
- Homepage:
- Size: 1.95 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
Inspired by https://github.com/jdelic/django-postgresql-setrole
https://github.com/hashicorp/vault/issues/1857#issuecomment-248441989
```python
client.write(
join(PG_MOUNT, 'config/connection'),
lease='10s', lease_max='10s',
connection_url='postgresql://'
'vault:azaza'
'@trash.force.fm:5432/postgres'
)
client.write(
join(PG_MOUNT, 'roles', 'db-full-access'),
sql="""
CREATE ROLE "{{name}}"
WITH LOGIN ENCRYPTED PASSWORD '{{password}}'
VALID UNTIL '{{expiration}}'
IN ROLE "force_fm" INHERIT NOCREATEROLE NOCREATEDB NOSUPERUSER NOREPLICATION NOBYPASSRLS;
""",
revocation_sql="""
DROP ROLE "{{name}}";
"""
)
```
```python
DATABASES = {
'default': {
'NAME': 'force_fm',
'ENGINE': 'pgvault',
'HOST': 'trash.force.fm',
'USER': 'force_fm', # SET ROLE USER
'PORT': '',
'CONN_MAX_AGE': 6000,
'VAULT': {
'URL': 'https://trash.force.fm:18400',
'TOKEN': '',
'MOUNT': 'force.fm/postgresql',
'ROLE': 'db-full-access',
'CERTS': (
os.path.join(CERTS_DIR, 'client1__bundle.crt'),
os.path.join(CERTS_DIR, 'client1.key'),
),
'VERIFY': os.path.join(CERTS_DIR, 'force.fm__root_ca.crt'),
}
}
}
```