Password policy for Database Secrets Engine for Vault

Guru of Vault,

We are setting up the Database Secrets Engine for Mariadb in Vault to generate dynamic credentials. The password of generated user looks like the following:

What is the exact password policy here? Is there any way we can set such policy explicitly? Thanks.

Secrets engines with support for password policies:
Active Directory

1 Like

Thanks for the reply. I understand that the db engine doesn’t support password policies. But is there anyway I can see the policy it’s using internally. Is there any source code I can read?

Basically, we are facing certain auditing situation. The auditors want evidence that the temporary password generated by Vault DB engine will be at least 10 character and have both number and alphabet. It seems true from concrete example. But I cannot find any document for this in Vault. Thanks a lot.

I’m confused. There’s actually another line in the tutorial that @Wolfsrudel quoted (my emphasis):

Secrets engines with support for password policies:

Here’s the parameter supported by all database secret engines (including MySQL/MariaDB):

Could that not suit your purposes?

Expanded Password Policy Support : Custom password policies are now supported for all database engines.

Part of version 1.6, which wasn’t released at the time of my comment and so the documentation was at an older release without “All Databases”.

1 Like

Ah, that makes more sense. Didn’t imagine you’d missed it! :wink: Cheers!

1 Like

“It is not as constant as change.” :upside_down_face:

1 Like


Maybe this will help.

The code that generates the password. (10 to 20 characters)