User and passwords for postgresql-database-plugin

so i have the postgres plugin working fine: i can get new credentials using

vault read database/creds/<role>

however, i was wondering why one should have so many different sessions based on each call of vault read - ie i would prefer if the database pg_user table only has a single entry to each user. i know i can override

username_template="v-{{ .DisplayName }}-{{.RoleName}}"

however, if the user uses a different login method (ldap vs oidc for example), display name changes. is there a way to have non-unique usenames in the database?

also, once a user has their username and password for the database session, is it possible to retrieve those details again for an existing ‘session’?

thirdly; strange usecase - but is it possible to never expire the password? is it a simple case of modifying the creation_statements to exclude the VALID UNTIL?

What are you actually trying to achieve, as it sounds like maybe Vault isn’t a great match for what you are wanting to do.

The dynamic secret functionality isn’t a general password creation and management system for a database, but instead is really for creating short-lived locked down credentials for an application/pod/service/etc to allow for a better security setup than the more common “single user/pass for all instances” or “single user/pass for all apps”. Once Vault is integrated into the application it is no harder to have lots of short lived focussed passwords (with permissions limited to exactly what a specific use case needs) than a single long lived wide ranging user.

So your questions don’t seem to marry with that - reusing users, creating users and not removing them or fetching details aren’t needed at all for the standard usage.

thanks @stuart-c; i understand the benefits of short lived credentials, however we are granting actual users rather than applications or developers access to the database, so we have to compromise somewhat of usability versus security.

  1. as we have actual users trying to psql into the database they would like to have longer lived passwords (say on the order or a week or month). as you mentioned, vault isn’t fully integrated into our workflow currently, so it’s a bit of a chore for our users (in the hundreds) to continually login/renew leases. in addition, they will tend to forget their password so having an ability to have vault echo it back would be handy (especially if we could spit it out on the vault webui).

  2. as we make use of vault’s alias-entity relationships, it would be useful to identify the user (entity) as opposed to the alias in the temporary postgres credential. the templating only seems to offer the {{.DisplayName}}. is there someway to get the entity name instead? (perhaps some golang templating magic regex etc?)

I’d suggest that Vault might not be the best fit for what you are trying to do. Instead I might look at using whatever user auth system you are using (LDAP, AD, etc.) directly with your database, so users can authenticate directly via their normal credentials (and then use Vault for application access).

Alternatively I’d still use short lived credentials and expect users who need to access to create a set of credentials only when they need access to a specific database. I’m thinking of the support type use case, where users rarely need direct SQL access, generally only for support issues which are relatively infrequent and short lived.