DatabaseΒΆ
Note
Every method under the Database class
includes a mount_point
parameter that can be used to address the Database secret engine under a custom mount path. E.g., If enabling the Database secret engine using Vaultβs CLI commands via vault secrets enable -path=my-database database
, the mount_point
parameter in hvac.api.secrets_engines.Database()
methods would be set to my-database
.
Enable Database Secrets EngineΒΆ
import hvac
client = hvac.Client()
client.sys.enable.secrets_engine(
backend_type='database',
path='my-database'
)
Note
Example code below are for configuring and connecting to Postgres. See the official developer docs for a list of supported database plugins and detailed configuration requirements.
ConfigurationΒΆ
hvac.api.secrets_engines.Database.configure()
Configures the database engine:
import hvac
client = hvac.Client()
client.secrets.database.configure(
name='db-connection-name',
plugin_name='postgresql-database-plugin',
allowed_roles='role-name',
connection_url=f'postgresql://{{{{username}}}}:{{{{password}}}}@postgres:5432/postgres?sslmode=disable',
username='db-username',
password='db-password',
)
Note
The database needs to be created and available to connect before you can configure the database secrets engine using the above configure method.
Read ConfigurationΒΆ
hvac.api.secrets_engines.Database.read_connection()
Returns the configuration settings for a connection mounted under a path of my-database
:
import hvac
client = hvac.Client()
connection_config = client.secrets.database.read_connection(
name='db-connection-name',
mount_point='my-database'
)
List ConnectionsΒΆ
hvac.api.secrets_engines.Database.list_connections()
Returns a list of available connections:
import hvac
client = hvac.Client()
connections = client.secrets.database.list_connections(
mount_point='my-database'
)
Delete ConnectionΒΆ
hvac.api.secrets_engines.Database.delete_connection()
Deletes a connection:
import hvac
client = hvac.Client()
client.secrets.database.delete_connection(
name='db-connection-name',
mount_point='my-database'
)
Reset ConnectionΒΆ
hvac.api.secrets_engines.Database.reset_connection()
Closes a connection and its underlying plugin and restarts it with the configuration stored:
import hvac
client = hvac.Client()
client.secrets.database.reset_connection(
name='db-connection-name',
mount_point='my-database'
)
Create RoleΒΆ
hvac.api.secrets_engines.Database.create_role()
Creates or updates a role definition:
import hvac
client = hvac.Client()
# SQL to create a new user with read only role to public schema
creation_statements = [
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
"GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"
]
# Create a new role for the PostgreSQL connection
client.secrets.database.create_role(
name='role-name',
db_name='db-connection-name',
creation_statements=creation_statements,
default_ttl='1h',
max_ttl='24h',
mount_point='my-database'
)
Read A RoleΒΆ
hvac.api.secrets_engines.Database.read_role()
Creates or updates a role definition:
import hvac
client = hvac.Client()
role = client.secrets.database.read_role(
name='role-name',
mount_point='my-database'
)
List All The RolesΒΆ
hvac.api.secrets_engines.Database.list_roles()
Returns a list of available roles:
import hvac
client = hvac.Client()
roles = client.secrets.database.list_roles(
mount_point='my-database'
)
Delete A RoleΒΆ
hvac.api.secrets_engines.Database.delete_role()
Deletes a role definition:
import hvac
client = hvac.Client()
client.secrets.database.delete_role(
name='role-name',
mount_point='my-database'
)
Rotate Root CredentialsΒΆ
hvac.api.secrets_engines.Database.rotate_root_credentials()
Rotates the root credentials stored for the database connection. This user must have permissions to update its own password.
import hvac
client = hvac.Client()
client.secrets.database.rotate_root_credentials(
name='db-connection-name',
mount_point='my-database'
)
Generate CredentialsΒΆ
hvac.api.secrets_engines.Database.generate_credentials()
Generates a new set of dynamic credentials based on the named role:
import hvac
client = hvac.Client()
credentials = client.secrets.database.generate_credentials(
name='role-name',
mount_point='my-database'
)
Get Static CredentialsΒΆ
hvac.api.secrets_engines.Database.get_static_credentials()
Returns the current credentials based on the named static role:
import hvac
client = hvac.Client()
credentials = client.secrets.database.get_static_credentials(
name='role-name',
mount_point='my-database'
)