Vault - AWS RDS Postgres 集成

Question

I'm setting up integration between vault and an postgres instance running in AWS RDS. My strategy is as follows:

1. Database registration

   a. Use the RDS master credentials to create a role named server_admin:

    CREATE ROLE server_admin WITH LOGIN PASSWORD '${password}' CREATEROLE CREATEDB

   b.Register the database with vault, using the server_admin postgres role (python hvac library):

    vault.write("database/config/{0}".format(database_identifier), plugin_name=plugin_name, connection_url=connection_url, allowed_roles="*")`

   c. Next, create a vault role for administration (schema creation):

    vault.write("database/roles/{0}".format(role_name), db_name=database_identifier, creation_statements='"CREATE ROLE \\"{{name}}\\" WITH LOGIN INHERIT PASSWORD '{{password}}' IN ROLE SERVER_ADMIN;"', default_ttl="10000h")

2. Schema registration

   a. Use vault to obtain a user with the server_admin role. b.Create the schema

   CREATE SCHEMA IF NOT EXISTS ${schema_name} AUTHORIZATION server_admin

   c. Create 3 vault roles (read_only, read_write, admin)

3. Application initialisation

   a. Obtain a database user from vault with the admin role, and run a flyway migration

   b.Obtain a database user from vault with the read_write role for normal operation

My issue is that during initial schema initialisation by my application (flyway), the tables are owned by the dynamically generated user. The next time I attempt a migration, I obtain a new user (via vault) with the admin role, but it does not have permissions to access the tables created by the first user.

What is the recommended strategy for database/schema/table ownership when using vault integration with postgresql?

Answer 1

I've struggled with the same problem and in the end, I implemented the solution described in this article. (The relevant part ends at 'Using Liquibase') https://www.jannikarndt.de/blog/2018/08/rotating_postgresql_passwords_with_no_downtime/

Vault can be used to rotate the roles as described above by using Vault Static Roles. In this case, the usernames remain constant and the passwords are rotated and managed by Vault. https://learn.hashicorp.com/vault/secrets-management/db-creds-rotation

I use a Blue/Green setup where I set the unused role to NOLOGIN and switch them when I want.

By keeping the Role names static, you avoid the problem of new roles that don't inherit the permissions of the previous role.