README
¶
Vault Aerospike Database Secrets Engine
A Vault plugin to dynamically generate credentials based on configured roles for Aerospike database. It also supports Static Roles.
Vault Version
- Vault 1.6+
Capabilities
| Root Credential Rotation | Dynamic Roles | Static Roles |
|---|---|---|
| Yes | Yes | Yes |
Build
-
Clone the repository,
$ git clone https://github.com/spkesan/vault-aerospike-database-secrets-engine.git $ cd vault-aerospike-database-secrets-engine/ -
Build the plugin
$ make plugin
Usage
Install the plugin
-
Add the plugin binary
vault-aerospike-database-secrets-engineto theplugin_directoryconfigured in Vault. -
Register the plugin,
$ vault write sys/plugins/catalog/database/vault-aerospike-database-secrets-engine \ sha256=$(sha256sum vault-aerospike-database-secrets-engine | awk '{print $1}') \ command="vault-aerospike-database-secrets-engine"
Setup
-
Enable the database secrets engine if it is not already enabled
$ vault secrets enable database Success! Enabled the database secrets engine at: database/By default, the secrets engine will enable at the name of the engine. To enable the secrets engine at a different path, use the
-pathargument. -
Configure Vault with the proper plugin and connection information
$ vault write database/config/aerospike-enterprise \ plugin_name=vault-aerospike-database-secrets-engine \ allowed_roles="*" \ db_host="localhost" \ db_port=3000 \ username="admin" \ password="admin"See configurations for Aerospike connection
It is recommended that you immediately rotate the root user's password. The root user's password will not be accessible once rotated so you must create a separate user with
user-adminaccess for Vault to utilize rather than using the actual root user. -
Configure a role that maps a name in Vault to a role definition in Aerospike
$ vault write database/roles/superuser \ db_name=aerospike-enterprise \ creation_statements='{"roles":["sys-admin","user-admin","data-admin","read-write-udf"]}' \ default_ttl=60s \ max_ttl=300s
Usage
- After the secrets engine is configured and a user/machine has a Vault token with the proper permission, it can generate credentials. Generate a new credentials by reading from the
/credsendpoint with the name of the role$ vault read database/creds/superuser
Static Roles
-
Configure a static role that maps a name in Vault to an existing Aerospike user.
$ vault write database/static-roles/static-superuser \ db_name="aerospike-enterprise" \ username="spkesan" \ rotation_period=5m -
Retrieve the credentials from the
/static-credsendpointvault read database/static-creds/static-superuser
Configurations for Aerospike connection
| Configs | Description | Type |
|---|---|---|
username |
User with user-admin access to Aerospike |
string |
password |
Password for the user-admin user |
string |
auth_mode |
Auth mode against Aerospike - internal or external |
string |
db_host |
Aerospike seed IP to connect | string |
db_port |
Aerospike seed Port to connect | integer |
timeout |
Aerospike connection timeout | integer |
cert_file |
Client certificate for TLS connection | string |
key_file |
Private key associated with the certificate | string |
key_file_passphrase |
Passphrase for encrypted private key | string |
tls_name |
TLS name of the Aerospike server | string |
root_ca |
Root CA to verify server certificate | string |
-
Certificates (
cert_file,key_file,root_ca) can be passed in following formats,"<file-path>""file:<file-path>""env-b64:<environment-variable-containing-base64-encoded-certificate>""b64:<base64-encoded-certificate>"
-
Credentials (
username,password,key_file_passphrase) can be passed in following formats,"<secret>""file:<file-containing-the-secret>""env:<environment-variable-containing-the-secret>""env-b64:<environment-variable-containing-the-base64-encoded-secret>""b64:<bas64-encoded-value-of-the-secret>"
Directories