Yes, I think it’s possible to do what you want.
First, configure the database secrets engine something like this:
vault write database/config/dev01 \
plugin_name="..." \
connection_url="..." \
allowed_roles="..." \
username="vault-dev01" \
password="..." \
vault write database/config/dev02 \
plugin_name="..." \
connection_url="..." \
allowed_roles="..." \
username="vault-dev02" \
password="..." \
...
vault write database/config/prod03 \
plugin_name="..." \
connection_url="..." \
allowed_roles="..." \
username="vault-prod03" \
password="..." \
vault write database/roles/dev01-reader \
db_name=dev01 \
creation_statements="<GRANT RO, etc.>" \
default_ttl="1h" \
max_ttl="24h"
vault write database/roles/dev01-operator \
db_name=dev01 \
creation_statements="<GRANT RW, etc.>" \
default_ttl="1h" \
max_ttl="24h"
...
vault write database/roles/prod03-operator \
db_name=prod03 \
creation_statements="<GRANT RW, etc.>" \
default_ttl="1h" \
max_ttl="24h"
Then write a database secrets engine administrator policy something like this:
path "database/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
# Manage the leases
# Note you could just glob on the creds path if you wanted to simplify
# or cut down on the paths in your policy
path "sys/leases/+/database/creds/<each role>" {
capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
}
path "sys/leases/+/database/creds/<each role>/*" {
capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
}
Then write your reader policies to have read
on the appropriate database/creds/XXX0N-reader
paths, and your operator ones to have read
on their creds paths. And you could also have a databases reader policy that grants read
on multiple ‘reader’ creds paths, etc.
Finally, you could grant list
at role related endpoints / paths too, I’d imagine. Also, don’t forget that you always have the ability to explicitly deny
paths too, so you have a lot of flexibility when it comes to Vault policy development and administration.