Database Config Template

santosh.askme · January 8, 2021, 12:31am

Hi Team,

Can we configure “Database name” in “role configuration creation statements" dynamically to create database user secrets?

For example: We have 5 MSSQL database DB1-DB5. The creation statement used for user secret generation as below, where we are hard coding the Database Id for user creation.
vault write database/roles/DBACCESS
db_name=db-mssql-config
creation_statements= " USE DB1 ;
CREATE LOGIN [{{name}}] WITH PASSWORD = ‘{{password}}’;
CREATE USER [{{name}}] FOR LOGIN [{{name}}];
ALTER ROLE [vault_db_reader] ADD MEMBER [{{name}}];"
revocation_statements=“DROP USER [{{name}}]; DROP LOGIN [{{name}}];”

What I am looking at similar to {{name}} template field so I can provide DBNAME dynamically at time of secret creation. Something like this

vault write database/roles/DBACCESS
db_name=db-mssql-config
creation_statements= " USE {{DBNAME}} ;
CREATE LOGIN [{{name}}] WITH PASSWORD = ‘{{password}}’;
CREATE USER [{{name}}] FOR LOGIN [{{name}}];
ALTER ROLE [vault_db_reader] ADD MEMBER [{{name}}];"
revocation_statements=“DROP USER [{{name}}]; DROP LOGIN [{{name}}];”

I want to provide DBNAME at runtime while creating dynamic database users secrets using API endpoint.(ex. vault read database/roles/DBACCESS DBNAME=DB1)
Currently I am creating individual role configuration for each database. The idea to reuse same roles configuration for any number of similar databases.
Regards,
Santosh

Topic		Replies	Views
Database Dynamic Secrets for Connection Strings? Terraform vault , azure	0	334	April 16, 2021
MSSQL Creation Statement Vault	3	347	January 10, 2022
Username templates Vault	9	555	October 31, 2022
Vault's Dynamic Secrets for Microsoft SQL Server/Database? Vault hcp-terraform , terraform-enterprise , vault	0	1675	April 27, 2021
Vault not dropping users in MSSQL Vault	0	11	March 5, 2025

Database Config Template

Related topics