I have created a database type dynamic storage and connected it to one of the micro services in my platform. But I have several other services which need to access the same database. In that case, do I have create separate roles under same connection and assign them to each different service? Or can I use the same role for all the other services plus other python clients?
According to my understanding the dynamic storage concept is it creates new root accounts with the permission we have mentioned in the role. Spring boot service also keeps checking with the vault for the expiration time. So, if the lease expiry time met and a new account is created, does all the services that use the same role gets the new credentials without any interruption?
This may be a dumb questions, I just find it hard to wrap my head around this lease expiry and dynamic storage concept.
Additionally, appreciate if you can help me to figure out how to connect this kind of dynamic credential with a python service as well. Because, this code segment is pretty much fetches whatever the secret value available. It doesn’t cover dynamic credentials.
read_response = client.secrets.kv.read_secret_version(path='my-secret-password')
password = read_response['data']['data']['password']
The recommendation would be to have different roles for different users/usages.
The advantage of different roles is that you can tailor them to what is actually needed (for a true microservice you might be accessing different tables stored in the same database so it would be better to have different access permissions), as well as having better visibility & control - you could more easily revoke access to a single microservice without breaking everything else.
In that case, we create a single super_user account in database and enter that when creating the vault connection. For each new role we add under that connection, vault uses the same super user account and create a new accounts with the given permission for each new role we add under the given connection.
What about accessing the dynamic database credentials using python client. Do we have any polling mechanism for the python client to automatically update the new database account details?
Yes the user that Vault uses to connect to the database would have elevated privileges, including creating new (temporary) users.
The Python example code you linked to is pulling a secret from a kv2 secrets engine, so isn’t directly useful for this use case. You would be pulling user details from the database secret engine. After having a very quick look it doesn’t seem that hvac exposes a specific set of functions for database secret engines, but you can use the kv1 functions to achieve the same thing (KV - Version 1 — hvac 1.0.2 documentation) as kv1 is basically just a thin wrapper around a raw API. Take a look at the database secret engine API documentation for the full details (Database - Secrets Engines - HTTP API | Vault | HashiCorp Developer). I would strongly suggest ensuring your application revokes the lease it has once finished with the database as otherwise Vault will continue maintaining unnecessary leases until they expire causing extra load on both Vault and your database server.