Figure out which authenticated user corresponds to a temp database user

I am working on setting the MySQL Secrets Engine in order to give developers temporary readonly access to the DB.

I created a database role developer-role. When I read the creds:

vault read database/creds/developer-role

It creates a user looking like v-deve-SVYHNCcG4

So far so good since users will get unique, one-time db usernames.

Assuming I use LDAP as the Auth Method, let’s say we detect unusual activity from a given database user.

How can I go back and identify which AD user requested the db userv-deve-SVYHNCcG4 to be created in the first place?

Sounds like Vaults audit feature… But never used it 'till now, so no experiences for your use case.

Yes I figured it’s somewhere in the audit logs. I wonder if anyone has been through this before.

Sounds like a common use case but couldn’t find any specifics in the documentation.

1 Like