We are using database secret engine in Vault to rotate static account passwords for DB users. We can manually rotate or get the latest password of the user from UI using the “Get Credentials” option or through API.
But, How do we get the password automatically sent to the user?
We would like to know if anyone automated this externally to send the latest rotated passwords to individual users.
Hi @AjayRedJ,
Could you clarify what you mean by “get the password automatically sent to the user”?
Are you looking to have the value always up-to-date and readily accessible somewhere?
One possible option might be usingVault Agent with templating. However, this would result in the updated credentials being written to a file or exposed through an environment variable.
If the access is being performed by a human user, I believe the correct approach would be for the user to access Vault (via CLI/API/UI) and run a read command each time they need the account password.
Thanks for the reply. We have setup the roles in Vault and now in the process of implementing the automation for sending the users their respective passwords. Users can utilize CLI or API to get latest credentials when expired. But, the expiry time is not specified anywhere in the Vault. Only “Last rotated time” and “time remaining” are provided in the role information. Once vault rotates the password, we are looking for an automated notification sent to respective user and send the latest password to the user. We are thinking of options like encrypted emails after a Jenkins job retrieves latest credential based on time remaining calculation.
We would like to hear from other who have been using this feature and how they are sending the latest password to users.