Im developing a custom plugin, and the interface provided, NewUser, has the password pregenerated in the input parameter. The system I am trying to develop against provides the password with its own set of apis. I can see where NewUserResponse allows you to define the custom username, but doesn’t support the password. Is there a different interface to use, other than NewUser, for overriding password, or a step prior to that NewUser lifecycle call?
In version 4, this was previous done by SetCredentials, but wasn’t sure if there was an override option in version 5.
Interface Reference: Custom - Database - Secrets Engines | Vault | HashiCorp Developer
Custom - Database - Secrets Engines | Vault | HashiCorp Developer
The v4 to v5 upgrade notes https://developer.hashicorp.com/vault/docs/secrets/databases/custom#upgrading-database-plugins-to-the-v5-interface strongly suggest that passwords generated by the remote system aren’t supported within Vault’s idea of a “database”.
Based on what you’ve shared of your requirements, you might need to write a custom secrets engine plugin, instead of a database plugin. As a general secrets engine, you’d have the flexibility to handle passwords however you like, though at the cost of having to reimplement all the support for tracking which accounts have been created.