This is the randomly generated username from db engine (e.g):
I’m also using rabbitmq secret engine, and this is how are users are generated.
Both username template config. is default for their engine, but I like rabbitmq much more since tells me also what the kubernetes pod is (access). I’m not 100% how it gathers that name, but I would like similar approach for db users. I know that these template engines have their differences, and one can achieve that others can’t.
Does someone know who can I further customize these templates so I can have kubernetes pod in a name or vault kubernetes role (etc)? I want to easily identify which dynamic users are currently in use by pod/service (kubernetes)?
The display name (of the token) will contain information about the user authenticating to Vault, including the Kubernetes namespace and service account - but it may be rather long, which may be a problem for you depending on the length limits of your database.
Thank you, I’m kind a disappointed that I there isn’t more to customize. RabbitMQ engine does this better, and you really able to follow which dynamic user is currently used by service. I can create a db role per service, but seems a bit overcomplicated.
But the RabbitMQ engine is basically just using a copy/paste of the same code as the database engine…
The RabbitMQ’s default username template is:
whereas each database type may have its own different default, potentially tweaked with truncation of components to appropriate lengths, so the generated username isn’t longer than the database will support.
Thanks, you helped me figuring out that this is actually token display name that I was looking to demystify, not the Role, or any sort of additional fields. So, the token display name is what is different between those two engines, and I don’t think I’m able to customize that.