HashiCorp Root DB Credential Rotation with SQL Server

Question

I am trying to use this new feature in the 0.10 version of HashiCorp Vault that allows you to rotate the root credentials supplied to the database secret engine. Using SQL Server as my database I can't get this to work.

Doing vault write -force database/rotate-root/mssql throws this error:

Error writing data to database/rotate-root/mssql: Error making API request.

URL: PUT http://0.0.0.0:8200/v1/database/rotate-root/mssql Code: 500. Errors:

• 1 error occurred:

• mssql: Cannot alter the login '%!s(MISSING)', because it does not exist or you do not have permission.

Doing vault read database/config/mssql returns:

Key                                   Value
---                                   -----
allowed_roles                         [* imagine]
connection_details                    map[connection_url:sqlserver://{{username}}:{{password}}@sql:1433 username:vaultrolecreator]
plugin_name                           mssql-database-plugin
root_credentials_rotate_statements    []

Wonder if you are supposed to supply your own rotate statements. Everything else I want to do works perfectly and these tests are done using the vault root token.

The original plugin info was done using this statement:

vault write database/config/mssql \
  plugin_name="mssql-database-plugin" \
  connection_url="sqlserver://{{username}}:{{password}}@sql:1433" \
  allowed_roles="*, imagine" \
  username="vaultrolecreator" \
  password="UnSafePass"`

Answer 1

It seems that this is a bug in HashiCorp Vault 0.10.2 (and older). A fix is being worked on in a new version:

https://github.com/hashicorp/vault/issues/4745

Answer 2

Your account "vaultrolecreator" might not have the perimission to execute ALTER LOGIN or ALTER CREDENTIAL statements on the DB. According to the Vault official documentation, these permissions are required in order to execute rotate-root