Hashicorp Vault
HashiCorp Vault is designed to help organizations manage access to secrets and transmit them safely.
Secrets are any form of sensitive credentials that need to be tightly controlled and monitored and can be used to unlock sensitive information. Secrets can be in the form of passwords, API keys, SSH keys, RSA tokens, or OTP. For more details, refer to Dynamic secrets.
YSQL plugin for Hashicorp Vault
YSQL plugin for Hashicorp Vault provides APIs for using HashiCorp Vault dynamic secrets with YugabyteDB. The plugin includes APIs for adding YugabyteDB to manage secrets, creating new users, and managing leases.
For more details, refer to YSQL plugin for Hashicorp Vault.
Setup
Your YugabyteDB cluster should be up and running. Refer to YugabyteDB Prerequisites.
Install Hashicorp Vault. See Installing Vault.
Before using Vault, do the following:
-
Add Go to the path as follows:
export GOPATH=$HOME/go export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
-
To run Vault in development mode, add the default vault address and vault token as follows:
export VAULT_ADDR="http://localhost:8200" export VAULT_TOKEN="root"
-
For production mode, register the plugin as follows:
export SHA256=$(sha256sum <build dir>/ysql-plugin | cut -d' ' -f1) vault write sys/plugins/catalog/database/ysql-plugin \ sha256=$SHA256 \ command="ysql-plugin"
Install the YSQL plugin for Hashicorp Vault as follows:
-
Clone the
hashicorp-vault-ysql-plugin
repository:git clone https://github.com/yugabyte/hashicorp-vault-ysql-plugin && cd hashicorp-vault-ysql-plugin
-
Build the plugin as follows:
go build -o <build dir>/ysql-plugin cmd/ysql-plugin/main.go
Alternatively, you can download the binary directly from GitHub:
- Pre-built binary can be found at the releases page. Download, unzip the file and place the binary in build directory.
Run and configure the vault server
Start the Vault server using the server command with the following flags:
- To have Vault automatically register the plugin, provide the path to the directory containing the plugin binary using the
-dev-plugin-dir
flag. - Set the
-dev-root-token
flag to inform the vault to use the default vault token of root to log in (this token is required in production mode). - To run the server in development mode, use the
-dev
flag; development mode makes it easier to experiment with Vault or start a Vault instance for development.
Don't run Development mode in production
Never run development mode in production. It is insecure and will lose data on every restart (as it stores data in memory). Development mode is only suitable for development or experimentation.For example, you can start the server as follows:
vault server -dev -dev-root-token-id=root -dev-plugin-dir=<build directory>
Enable the database's secrets as follows:
vault secrets enable database
You can add the database using one of the following options:
-
Enter the credentials:
vault write database/config/yugabytedb plugin_name=ysql-plugin \ host="127.0.0.1" \ port=5433 \ username="yugabyte" \ password="yugabyte" \ db="yugabyte" \ load_balance=true \ yb_servers_refresh_interval=0 \ allowed_roles="*"
-
Use a connection string:
vault write database/config/yugabytedb \ plugin_name=ysql-plugin \ connection_url="postgres://{{username}}:{{password}}@localhost:5433/yugabyte?sslmode=disable&load_balance=true&yb_servers_refresh_interval=0" \ allowed_roles="*" \ username="yugabyte" \ password="yugabyte"
For more information on running Vault, refer to the Vault documentation.
Use the plugin
Create a role as follows:
vault write database/roles/my-first-role \
db_name=yugabytedb \
creation_statements="CREATE ROLE \"{{username}}\" WITH PASSWORD '{{password}}' VALID UNTIL '{{expiration}}' NOINHERIT LOGIN; \
GRANT ALL ON DATABASE \"yugabyte\" TO \"{{username}}\";" \
default_ttl="1h" \
max_ttl="24h"
Create a user as follows:
vault read database/creds/my-first-role
To manage leases for YugabyteDB, including lookup, renewal, and revocation, provide the lease ID along with the following commands:
# Lease lookup
vault lease lookup <lease-ID>
# Renew the lease
vault lease renew <lease-ID>
#Revoke the lease
vault lease revoke <lease-ID>
Configure SSL/TLS
To allow YSQL Hashicorp Vault plugin to communicate securely over SSL with YugabyteDB database, you need the root certificate (ca.crt
) of the YugabyteDB cluster. To generate these certificates and install them while launching the cluster, follow the instructions in Create server certificates.
Because a YugabyteDB Aeon cluster is always configured with SSL/TLS, you don't have to generate any certificate but only set the client-side SSL configuration. To fetch your root certificate, refer to CA certificate.
To start a secure local YugabyteDB cluster using yugabyted, refer to Create a local multi-node cluster.
For a YugabyteDB Aeon cluster, or a local YugabyteDB cluster with SSL/TLS enabled, set the SSL-related connection parameters along with other connection information while adding the database by either of the following ways:
-
Provide the connection information in DSN format:
vault write database/config/yugabytedb plugin_name=ysql-plugin \ host="127.0.0.1" \ port=5433 \ username="yugabyte" \ password="yugabyte" \ db="yugabyte" \ load_balance=true \ yb_servers_refresh_interval=0 \ sslmode="verify-full" \ sslrootcert="path/to/.crt-file" \ allowed_roles="*"
-
Provide the connection information as a connection string:
vault write database/config/yugabytedb \ plugin_name=ysql-plugin \ connection_url="postgres://{{username}}:{{password}}@localhost:5433/yugabyte?sslmode=verify-full&load_balance=true&yb_servers_refresh_interval=0&sslrootcert=path/to/.crt-file" \ allowed_roles="*" \ username="yugabyte" \ password="yugabyte"
SSL modes
The following table summarizes the SSL modes:
SSL Mode | Client Driver Behavior | YugabyteDB Support |
---|---|---|
disable | SSL disabled | Supported |
allow | SSL enabled only if server requires SSL connection | Supported |
prefer (default) | SSL enabled only if server requires SSL connection | Supported |
require | SSL enabled for data encryption and Server identity is not verified | Supported |
verify-ca | SSL enabled for data encryption and Server CA is verified | Supported |
verify-full | SSL enabled for data encryption. Both CA and hostname of the certificate are verified | Supported |
YugabyteDB Aeon requires SSL/TLS, and connections using SSL mode disable
will fail.
Known issues
When executing vault operations, the internal query may fail with the following error:
ERROR: The catalog snapshot used for this transaction has been invalidated: expected: 2, got: 1: MISMATCHED_SCHEMA (SQLSTATE 40001)
A DML query in YSQL may touch multiple servers, and each server has a Catalog Version which is used to track schema changes. When a DDL statement runs in the middle of the DML query, the Catalog Version is changed and the query has a mismatch, causing it to fail.
For such cases, the database aborts the query and returns a 40001 error code. Operations failing with this code can be safely retried.
For more information, refer to How to troubleshoot Schema or Catalog version mismatch database errors.