Vault username_templating


Can username_template options in Vault terraform resource vault_database_secret_backend_connection configuration be override when boundary_credential_library_vault read dynamic db credential through vault api token? (new feature required)

The issue is boundary_credential_library_vault use a vault token for the api call to get backend db dynamic credential which vault_database_secret_backend_connection configured username_templating pattern option [auth-method]-[user]_[random characters] (e.g. in above case dynamic credential boundary connect will have token-token_ue1LD0vkDWLaAWJn9jdx to connect to backend target DB. As an administrator I cannot audit who is that user in real world actually access the db). So would like to pass boundary oidc user/account name to vault which can override the [user] option of vault username_templating pattern before dynamic credential generated and returned back to boundary connect response as “username”: “token-amos.c_ue1LD0vkDWLaAWJn9jdx ”.

Leave this previous discussion on HashiCorp Discuss as a reference


1 Like

Can anyone help with this please?