Understanding Vault connection parameters for PostgreSQL

dewansklick · February 11, 2022, 4:22pm

What is the difference between {{username}} & vaultuser (and also {{password}} and vaultpass)?

I understand that {{username}}:{{password}} are the actual root database credentials. Where is vaultuser/vaultpass used then? Some pointers to documentation where the differences are clearly explained, will be appreciated.

vault write database/config/my-postgresql-database \
    plugin_name=postgresql-database-plugin \
    allowed_roles="my-role" \
    connection_url="postgresql://{{username}}:{{password}}@localhost:5432/" \
    username="vaultuser" \
    password="vaultpass"

jeffsanicola · February 11, 2022, 6:48pm

{{username}} and {{password}} in the connection_url are variables used in the connection string and get replaced by the username and password parameters respectively.

I believe this is used to better support rotation of the root user’s password.

dewansklick · February 12, 2022, 4:00am

Thanks @jeffsanicola

Topic		Replies	Views
Vault postgres communication Vault vault	0	204	January 27, 2023
How database root password rotation works? Vault vault	4	1959	October 21, 2021
Vault database backend - postgres using a socket Vault	1	385	August 12, 2020
User and passwords for postgresql-database-plugin Vault	7	1162	November 28, 2022
Retrieve password after rotate-root Vault	0	358	October 22, 2020

Understanding Vault connection parameters for PostgreSQL

Related topics