Username templates

Hello,

I want to customize usernames that are dynamically created when using database secret engine.

I was following this: Username Templating | Vault - HashiCorp Learn but I haven’t figured out yet how to discover these fields such as .RoleName or .DisplayName which are mentioned in documentation.

This is the randomly generated username from db engine (e.g):
ngl-<database_role>-1666645606-3tcPhbnH

I’m also using rabbitmq secret engine, and this is how are users are generated.
ngl-dev-<rabbitmq_role>-access-4ef2000f-cb27-a2e2-5bd4-2232c1b3db0f

Both username template config. is default for their engine, but I like rabbitmq much more since tells me also what the kubernetes pod is (access). I’m not 100% how it gathers that name, but I would like similar approach for db users. I know that these template engines have their differences, and one can achieve that others can’t.

Does someone know who can I further customize these templates so I can have kubernetes pod in a name or vault kubernetes role (etc)? I want to easily identify which dynamic users are currently in use by pod/service (kubernetes)?

Thanks!

Can anyone help me out with this?
Thanks

As per https://developer.hashicorp.com/vault/docs/concepts/username-templating#examples, .DisplayName and .RoleName are the only fields available to username templating unless the specific database plugin involved documents additional ones.

The display name (of the token) will contain information about the user authenticating to Vault, including the Kubernetes namespace and service account - but it may be rather long, which may be a problem for you depending on the length limits of your database.

I didn’t quite understood this like that, those were just examples.
As they stated in this documentation -

This is a basic example that references the two fields that are provided to the template. In simplest terms, this is a simple string substitution.

I assumed that these are not total number of fields, but I don’t know, could be that I’m wrong.
Thanks anyway.

You are correct, the documentation is not clear. I resorted to looking at the source code to get confirmation:

Thank you, I’m kind a disappointed that I there isn’t more to customize. RabbitMQ engine does this better, and you really able to follow which dynamic user is currently used by service. I can create a db role per service, but seems a bit overcomplicated.

But the RabbitMQ engine is basically just using a copy/paste of the same code as the database engine…

The RabbitMQ’s default username template is:

whereas each database type may have its own different default, potentially tweaked with truncation of components to appropriate lengths, so the generated username isn’t longer than the database will support.

1 Like

Thanks, you helped me figuring out that this is actually token display name that I was looking to demystify, not the Role, or any sort of additional fields. So, the token display name is what is different between those two engines, and I don’t think I’m able to customize that.

The token display name is inherent to the token, and is set based on the method used to create the token.

It’s not going to differ at all between different secret engines accessed by the token.

1 Like

Thank you very much for clarifying.