secrets/database: adds ability to manage alternative credential types and configuration #15376
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… and configuration
austingebauer
commented
May 11, 2022
swenson
reviewed
May 11, 2022
| @@ -27,6 +27,8 @@ message NewUserRequest { | |||
| google.protobuf.Timestamp expiration = 3; | |||
| Statements statements = 4; | |||
| Statements rollback_statements = 5; | |||
| int32 credential_type = 6; | |||
| bytes public_key = 7; | |||
There was a problem hiding this comment.
Maybe a minor thing, but since we're only using PEM-encoded keys, those should all be valid strings, right?
I mostly worry that bytes (or []byte) above might lead someone to think we're using something like DER.
There was a problem hiding this comment.
Yep, I originally used a string type here. I would be fine going back to string since we are going with PEM encoding. Will do so if others agree.
There was a problem hiding this comment.
I don't have a strong preference either way. FWIW the standard library call pem.EncodeToMemory also returns it as []byte.
calvn
reviewed
May 12, 2022
swenson
reviewed
May 12, 2022
swenson
approved these changes
May 12, 2022
calvn
reviewed
May 13, 2022
calvn
approved these changes
May 13, 2022
Gabrielopesantos
pushed a commit
to Gabrielopesantos/vault
that referenced
this pull request
Jun 6, 2022
… and configuration (hashicorp#15376)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR adds the ability for the database secrets engine to manage alternative credential types and configuration. This provides the foundation for the secrets engine to start managing database credentials other than passwords (e.g., asymmetric keys, x.509 client certificates).
Initially, this will be used to enable Vault to manage RSA key pair credentials to be consumed by the Snowflake database plugin. This will enable clients to use key pair authentication using a Vault-managed credential. See hashicorp/vault-plugin-database-snowflake#15 for example usage on the plugin side.
Dynamic Role Usage:
Static Role Usage:
vault write database/static-roles/my-static-role \ db_name=my-snowflake-database \ rotation_statements="ALTER USER {{name}} SET RSA_PUBLIC_KEY='{{public_key}}'" # Optional username="static_user_keypair" \ rotation_period="5m" \ credential_type="rsa_private_key" \ credential_config=key_bits=2048 \ # Optional credential_config=format="pkcs8" # OptionalTesting
Basic testing has been included in this PR. Tests that integrate with Snowflake to use RSA key pair credentials are included in the Snowflake database plugin PR.
Additional tests are in progress and will be included in further commits.