Secret
Creates a Database Secret Backend static role in Vault. Database secret backend static roles can be used to manage 1-to-1 mapping of a Vault Role to a user in a database for the database.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const db = new vault.Mount("db", {
path: "postgres",
type: "database",
});
const postgres = new vault.database.SecretBackendConnection("postgres", {
backend: db.path,
name: "postgres",
allowedRoles: ["*"],
postgresql: {
connectionUrl: "postgres://username:password@host:port/database",
},
});
// configure a static role with period-based rotations
const periodRole = new vault.database.SecretBackendStaticRole("period_role", {
backend: db.path,
name: "my-period-role",
dbName: postgres.name,
username: "example",
rotationPeriod: 3600,
rotationStatements: ["ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';"],
});
// configure a static role with schedule-based rotations
const scheduleRole = new vault.database.SecretBackendStaticRole("schedule_role", {
backend: db.path,
name: "my-schedule-role",
dbName: postgres.name,
username: "example",
rotationSchedule: "0 0 * * SAT",
rotationWindow: 172800,
rotationStatements: ["ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';"],
});Content copied to clipboard
import pulumi
import pulumi_vault as vault
db = vault.Mount("db",
path="postgres",
type="database")
postgres = vault.database.SecretBackendConnection("postgres",
backend=db.path,
name="postgres",
allowed_roles=["*"],
postgresql={
"connection_url": "postgres://username:password@host:port/database",
})
# configure a static role with period-based rotations
period_role = vault.database.SecretBackendStaticRole("period_role",
backend=db.path,
name="my-period-role",
db_name=postgres.name,
username="example",
rotation_period=3600,
rotation_statements=["ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';"])
# configure a static role with schedule-based rotations
schedule_role = vault.database.SecretBackendStaticRole("schedule_role",
backend=db.path,
name="my-schedule-role",
db_name=postgres.name,
username="example",
rotation_schedule="0 0 * * SAT",
rotation_window=172800,
rotation_statements=["ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';"])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var db = new Vault.Mount("db", new()
{
Path = "postgres",
Type = "database",
});
var postgres = new Vault.Database.SecretBackendConnection("postgres", new()
{
Backend = db.Path,
Name = "postgres",
AllowedRoles = new[]
{
"*",
},
Postgresql = new Vault.Database.Inputs.SecretBackendConnectionPostgresqlArgs
{
ConnectionUrl = "postgres://username:password@host:port/database",
},
});
// configure a static role with period-based rotations
var periodRole = new Vault.Database.SecretBackendStaticRole("period_role", new()
{
Backend = db.Path,
Name = "my-period-role",
DbName = postgres.Name,
Username = "example",
RotationPeriod = 3600,
RotationStatements = new[]
{
"ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';",
},
});
// configure a static role with schedule-based rotations
var scheduleRole = new Vault.Database.SecretBackendStaticRole("schedule_role", new()
{
Backend = db.Path,
Name = "my-schedule-role",
DbName = postgres.Name,
Username = "example",
RotationSchedule = "0 0 * * SAT",
RotationWindow = 172800,
RotationStatements = new[]
{
"ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';",
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/database"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
db, err := vault.NewMount(ctx, "db", &vault.MountArgs{
Path: pulumi.String("postgres"),
Type: pulumi.String("database"),
})
if err != nil {
return err
}
postgres, err := database.NewSecretBackendConnection(ctx, "postgres", &database.SecretBackendConnectionArgs{
Backend: db.Path,
Name: pulumi.String("postgres"),
AllowedRoles: pulumi.StringArray{
pulumi.String("*"),
},
Postgresql: &database.SecretBackendConnectionPostgresqlArgs{
ConnectionUrl: pulumi.String("postgres://username:password@host:port/database"),
},
})
if err != nil {
return err
}
// configure a static role with period-based rotations
_, err = database.NewSecretBackendStaticRole(ctx, "period_role", &database.SecretBackendStaticRoleArgs{
Backend: db.Path,
Name: pulumi.String("my-period-role"),
DbName: postgres.Name,
Username: pulumi.String("example"),
RotationPeriod: pulumi.Int(3600),
RotationStatements: pulumi.StringArray{
pulumi.String("ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';"),
},
})
if err != nil {
return err
}
// configure a static role with schedule-based rotations
_, err = database.NewSecretBackendStaticRole(ctx, "schedule_role", &database.SecretBackendStaticRoleArgs{
Backend: db.Path,
Name: pulumi.String("my-schedule-role"),
DbName: postgres.Name,
Username: pulumi.String("example"),
RotationSchedule: pulumi.String("0 0 * * SAT"),
RotationWindow: pulumi.Int(172800),
RotationStatements: pulumi.StringArray{
pulumi.String("ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.database.SecretBackendConnection;
import com.pulumi.vault.database.SecretBackendConnectionArgs;
import com.pulumi.vault.database.inputs.SecretBackendConnectionPostgresqlArgs;
import com.pulumi.vault.database.SecretBackendStaticRole;
import com.pulumi.vault.database.SecretBackendStaticRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var db = new Mount("db", MountArgs.builder()
.path("postgres")
.type("database")
.build());
var postgres = new SecretBackendConnection("postgres", SecretBackendConnectionArgs.builder()
.backend(db.path())
.name("postgres")
.allowedRoles("*")
.postgresql(SecretBackendConnectionPostgresqlArgs.builder()
.connectionUrl("postgres://username:password@host:port/database")
.build())
.build());
// configure a static role with period-based rotations
var periodRole = new SecretBackendStaticRole("periodRole", SecretBackendStaticRoleArgs.builder()
.backend(db.path())
.name("my-period-role")
.dbName(postgres.name())
.username("example")
.rotationPeriod("3600")
.rotationStatements("ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';")
.build());
// configure a static role with schedule-based rotations
var scheduleRole = new SecretBackendStaticRole("scheduleRole", SecretBackendStaticRoleArgs.builder()
.backend(db.path())
.name("my-schedule-role")
.dbName(postgres.name())
.username("example")
.rotationSchedule("0 0 * * SAT")
.rotationWindow("172800")
.rotationStatements("ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';")
.build());
}
}Content copied to clipboard
resources:
db:
type: vault:Mount
properties:
path: postgres
type: database
postgres:
type: vault:database:SecretBackendConnection
properties:
backend: ${db.path}
name: postgres
allowedRoles:
- '*'
postgresql:
connectionUrl: postgres://username:password@host:port/database
# configure a static role with period-based rotations
periodRole:
type: vault:database:SecretBackendStaticRole
name: period_role
properties:
backend: ${db.path}
name: my-period-role
dbName: ${postgres.name}
username: example
rotationPeriod: '3600'
rotationStatements:
- ALTER USER "{{name}}" WITH PASSWORD '{{password}}';
# configure a static role with schedule-based rotations
scheduleRole:
type: vault:database:SecretBackendStaticRole
name: schedule_role
properties:
backend: ${db.path}
name: my-schedule-role
dbName: ${postgres.name}
username: example
rotationSchedule: 0 0 * * SAT
rotationWindow: '172800'
rotationStatements:
- ALTER USER "{{name}}" WITH PASSWORD '{{password}}';Content copied to clipboard
Import
Database secret backend static roles can be imported using the backend, /static-roles/, and the name e.g.
$ pulumi import vault:database/secretBackendStaticRole:SecretBackendStaticRole example postgres/static-roles/my-roleContent copied to clipboard
Properties
Link copied to clipboard
Link copied to clipboard
The credential type for the user, can be one of "password", "rsa_private_key" or "client_certificate".The configuration can be done in credential_config.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
The amount of time Vault should wait before rotating the password, in seconds. Mutually exclusive with rotation_schedule.
Link copied to clipboard
A cron-style string that will define the schedule on which rotations should occur. Mutually exclusive with rotation_period. Warning: The rotation_period and rotation_schedule fields are mutually exclusive. One of them must be set but not both.
Link copied to clipboard
Database statements to execute to rotate the password for the configured database user.
Link copied to clipboard
The amount of time, in seconds, in which rotations are allowed to occur starting from a given rotation_schedule.
Link copied to clipboard
The password corresponding to the username in the database. Required when using the Rootless Password Rotation workflow for static roles. Only enabled for select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
Link copied to clipboard
If set to true, Vault will skip the initial secret rotation on import. Requires Vault 1.18+ Enterprise.