Database Plugin Override Password

danquack · February 21, 2023, 6:09pm

Im developing a custom plugin, and the interface provided, NewUser, has the password pregenerated in the input parameter. The system I am trying to develop against provides the password with its own set of apis. I can see where NewUserResponse allows you to define the custom username, but doesn’t support the password. Is there a different interface to use, other than NewUser, for overriding password, or a step prior to that NewUser lifecycle call?

In version 4, this was previous done by SetCredentials, but wasn’t sure if there was an override option in version 5.

Interface Reference: Custom - Database - Secrets Engines | Vault | HashiCorp Developer
Custom - Database - Secrets Engines | Vault | HashiCorp Developer

maxb · February 21, 2023, 6:19pm

The v4 to v5 upgrade notes https://developer.hashicorp.com/vault/docs/secrets/databases/custom#upgrading-database-plugins-to-the-v5-interface strongly suggest that passwords generated by the remote system aren’t supported within Vault’s idea of a “database”.

Based on what you’ve shared of your requirements, you might need to write a custom secrets engine plugin, instead of a database plugin. As a general secrets engine, you’d have the flexibility to handle passwords however you like, though at the cost of having to reimplement all the support for tracking which accounts have been created.

Topic		Replies	Views
Extend Database Secrets Engine Vault vault	0	439	March 25, 2021
Oracle DB password change Vault	4	264	June 26, 2023
Dynamic custom secrets plugin implementation Vault	0	231	July 2, 2021
Password policy for Database Secrets Engine for Vault Vault	7	878	November 28, 2020
Vault postgres communication Vault vault	0	207	January 27, 2023

Database Plugin Override Password

Related topics