#vault (2022-06)

vault Discussions related to Hashicorp Vault


Andy avatar

Hi all does anyone use the database password rotation feature in their applications that retrieve secrets from vault? I can’t find examples of how applications should handle a password being refreshed. Should it be done by exception handling?

  1. App retrieves v1 creds for database from vault
  2. App connects to database with v1 creds
  3. After X minutes/hours vault rotates the credentials and creates v2 creds
  4. App attempts to execute a query with v1 credentials, but exception occurs, App retrieves latest v2 creds.
Zachary Loeber avatar
Zachary Loeber

Step 0. App retrieves Vault token with access to request creds from the database secrets engine path.

Zachary Loeber avatar
Zachary Loeber

Either way, if you were using a static db role the rotation period would be set as part of the role. You could also force rotate the password after being used via another API call

Zachary Loeber avatar
Zachary Loeber

I’d not use this as some means to run a long service. If you are then possibly using the vault agent would be a feasible solution