[SOLVED] Vault credential library username mapping override


Since we have a problem to logs username in logs (Topic here : Email and User Name in logs - #5 by thibaut1405 ), we try to use the credential mapping override to bypass this problem. But I have a problem in the configuration that I don’t understand.

We use Vault to provide credential for the connection to Postgres Database

That’s our configuration

resource "boundary_credential_library_vault" "vault_store" {
  for_each = {
    for db_name, db in local.scope : format("%s-%s",db.scope_name,db.db_name) => db
  name                = format("%s-%s",each.value.scope_name,each.value.db_name)
  description         = each.value.description
  credential_store_id = boundary_credential_store_vault.vault_store[each.value.scope_name].id
  path                = format("database/creds/%s-%s",each.value.scope_name,each.value.db_name)
  http_method         = "GET"
  credential_type     = "username_password"
  credential_mapping_overrides = {
    username_attribute = "{{.Account.Name}}"

And we got the error when we try to connect to a target

Error from controller when performing authorize-session action against given target

Error information:
  Kind:                Internal
  Message:             targets.(Service).AuthorizeSession: mapping vault secret to a credential type failed, integrity violation: error #3017
  Status:              500
  context:             Error from controller when performing authorize-session action against given target

Boundary version : 0.11.1
Vault version : 1.12

Do we need to do something in Vault to make it work properly ?


At first glance it looks to me like the secret returned by Vault isn’t able to be mapped to a username_password credential type. What does the secret look like when you retrieve it from Vault in JSON format?

an example of username and password returned by vault

  "request_id": "77a8ce89-42e9-53c5-3af5-702f1d138db0",
  "lease_id": "database/creds/team-boundary/pEcqy0AVl9AHQ4QP9YXj5SDI",
  "renewable": true,
  "lease_duration": 180,
  "data": {
    "password": "UI-cRtkMyqgYrF-4Swau",
    "username": "v-token-team-db-arN9zAbELGK76xZkV2UZ-1670425842"
  "wrap_info": null,
  "warnings": null,
  "auth": null

Hi @thibaut1405
The mapping overrides for Vault credential libraries allow an admin to override the field attributes in the credential, they do not override the values of the credential returned by Vault.

By default a username_password credential looks for two fields username and password, using your example:

 "data": {
    "password": "UI-cRtkMyqgYrF-4Swau",
    "username": "v-token-team-db-arN9zAbELGK76xZkV2UZ-1670425842"

This would be parsed by Boundary as a username_password credential as it was before you added the override. However, if the credential from Vault looked like:

 "data": {
    "my-password": "UI-cRtkMyqgYrF-4Swau",
    "username": "v-token-team-db-arN9zAbELGK76xZkV2UZ-1670425842"

Boundary would not parse it correctly since it did not find the default password field. Here the admin would need to configure a credential_mapping_override for the password_attribute as follows:

  credential_mapping_overrides = {
    password_attribute = "my-password"

So by adding the override Boundary is now looking for the username in a field that is the Value of .Account.Name and not finding it, resulting in your error.

1 Like

Ho okay so I misunderstood something, thank you for your response. :slight_smile:

Is it possible to create custom username based on firstname returned from boundary to vault?

For example a user named joe tries to connect to db target in boundary where secrets brokered by vault

creating username as “joe_v_dev” instead of some random “v-root_admi-Lt70Rn1SSbVQHdblZsUF-1681461221”

I am able to find article on username templating in vault but not able to find anything related to boundary & vault integration