Vault - how to create dynamic secrets for mysql and grant permissions only on specific database

Question

I have right now running Vault which gives me dynamic secrets for my mysql database. At this moment my role for databases looks like this:

Response:

{
   "lease_duration" : 0,
   "data" : {
      "revocation_statements" : [],
      "default_ttl" : 3600,
      "rollback_statements" : [],
      "max_ttl" : 86400,
      "db_name" : "my-mysql-database",
      "creation_statements" : [
         "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'",
         "GRANT SELECT ON *.* TO '{{name}}'@'%'"
      ],
      "renew_statements" : []
   },
   "warnings" : null,
   "auth" : null,
   "renewable" : false,
   "request_id" : "f155ede2-12ce-2ab1-f05e-b0f52acb153a",
   "wrap_info" : null,
   "lease_id" : ""
}

The most important is creation_statements where new user is granted privilege on every database. My goal is to send on which database I need a user and give him permissions only for that database. I haven't saw any resources on how to accomplish that.

My idea is maybe to check if a Vault has a role for specific database, if Vault responses with error that role does not exist, I can create a new role for that database, and after that generate new credentials.

Answer 1

To my knowledge creation statements are static, meaning that once the "vault_database_secret_backend_role" was created, the statements can't be changed.

We had a similar issue and we ended up dynamically creating new vault_database_secret_backend_role for each different database.

Since we used terraform I could template the creation statements. (i.e.: When I create a new database with name "abcd", then the corresponding vault_database_secret_backend_role's creation_statement is "generated"/"rendered" so that it only grants access to this (abcd) database.