This document discusses using HashiCorp Vault to dynamically generate and revoke database credentials. Vault allows defining policies that control which database operations different credentials can perform. It generates unique credentials with limited lifetimes, reducing the risk of compromised long-term credentials. Applications can authenticate to Vault and retrieve temporary credentials to access databases, without embedding permanent credentials. This improves security by preventing static credentials from being hard-coded or exposed.

1. Securing Databases with
Dynamic Credentials and
HashiCorp’s Vault
PGDay.Seoul 2019
FB/hyeongchae.lee
1PGDay.Seoul 2019

2. Temporary Security Credentials
• shell script 또는 config 안에 username, password 필요한 경우
• 개발팀에서 운영 DB서버에 접속하여 몇가지 확인하고 싶을 경우
• 단발성 계정 생성 및 삭제가 빈번하게 일어날 경우
• GDPR 처럼 보안규정상 password expired 가 필요한 경우
PGDay.Seoul 2019 2

3. Ansible : ssh delima
PGDay.Seoul 2019 3

4. HashiCorp
4PGDay.Seoul 2019

5. HashiCorp’s Vault 란?
5PGDay.Seoul 2019

6. Vault’s Policies
6PGDay.Seoul 2019

7. Vault’s Polcies
path “postgresql/creds/readonly” {
capabilities = ["create", "read", "update", "delete", "list"]
}
root@pgsql12:/# ls -la /var/lib/postgresql/data/
drwx------ 19 postgres postgres 4096 Dec 2 02:45 .
drwxr-xr-x 1 postgres postgres 4096 Nov 23 08:10 ..
drwx------ 6 postgres postgres 4096 Dec 2 05:19 base
drwx------ 2 postgres postgres 4096 Dec 2 06:58 global
-rw------- 1 postgres postgres 4535 Dec 2 02:45 pg_hba.conf
PGDay.Seoul 2019 7

8. HashiCorp’s Vault
8PGDay.Seoul 2019

9. Vault’s Token
$ vault read postgresql/creds/readonly
Key Value
--- -----
lease_id postgresql/creds/readonly/Dw35ApjCjE3x4WolwcD4GTgq
lease_duration 1h
lease_renewable true
password ee1a06db-9d28-2e74-41fc-c97a8d137dd8
username token-a6c161c7-dbee-b2b1-4ede-7300ed4350fa
PGDay.Seoul 2019 9

10. Dynamically Securing Databases using Vault
10PGDay.Seoul 2019
Security Team
Define secret
policies
PostgreSQL
APPs
username : root
password : password
Rotate the root
credentials
username : root
password : newpassword
Create DB credentials
username : token-a6c161c…
password : ee1a06db-9d…
App gets unique set of DB
Credentials to connect
Read / Write from DB
1
1
2
2
3
4

11. PotgreSQL Secrets Engine
$ export VAULT_ADDR="http://127.0.0.1:8200"
$ export VAULT_TOKEN="vault"
$ vault secrets enable postgresql
# dba admin / superuser
$ vault write postgresql/config/connection
connection_url="postgresql://root:root@172.16.100.1:5432/postgres?sslmode=disable"
# create user and role
$ vault write postgresql/roles/readonly
sql="CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";"
# get credential
$ vault read postgresql/creds/readonly
PGDay.Seoul 2019 11
2
1
1
2
3
no policies
get token
connect
create credential
get credential

12. 승인 워크플로우 (Approval Workflow)
12PGDay.Seoul 2019
1 2
3
4
5
Developer
Dev Manager
“You’re fired”
DevOps
Update
/request_pgsql_access
Auth / Role

13. 액세스 워크플로우 ( Access Workflow )
13PGDay.Seoul 2019
Developer
SQLGate / flyway
psql client /
Token CLI / HTTP API
15
2
3
4
6
Auth / Role
Personal
Identification

14. https://github.com/sql2/PostgreSQL_with_Dynamic_Credentials
PGDay.Seoul 2019 14

15. PGDay.Seoul 2019 15