Figure out which authenticated user corresponds to a temp database user

oscarmorasu · March 10, 2020, 4:55pm

I am working on setting the MySQL Secrets Engine in order to give developers temporary readonly access to the DB.

I created a database role developer-role. When I read the creds:

vault read database/creds/developer-role

It creates a user looking like v-deve-SVYHNCcG4

So far so good since users will get unique, one-time db usernames.

Assuming I use LDAP as the Auth Method, let’s say we detect unusual activity from a given database user.

How can I go back and identify which AD user requested the db userv-deve-SVYHNCcG4 to be created in the first place?

Wolfsrudel · March 10, 2020, 6:29pm

Sounds like Vaults audit feature… But never used it 'till now, so no experiences for your use case.

oscarmorasu · March 10, 2020, 6:33pm

Yes I figured it’s somewhere in the audit logs. I wonder if anyone has been through this before.

Sounds like a common use case but couldn’t find any specifics in the documentation.

Topic		Replies	Views
Associating database engine credentials with github auth user Vault	0	250	April 22, 2020
Database root credentials rotation and Vault users for PostGres management Vault	4	766	February 2, 2021
How to block temporary account in mysql user table Vault	2	633	November 15, 2019
Dynamic DB Creds and Vault Agent Vault	0	313	November 11, 2019
How I get the role generated by MongoDB Database Secrets Engine using role_id and secret_id? Vault	0	375	September 23, 2020