Skip to main content
Managing database credentials centrally is a recommended security practice. This tutorial shows how to manage CockroachDB database credentials using Hashicorp Vault’s PostgreSQL database secrets engine, which provides centralized, secure, and auditable management of database credentials. See also:

Before you begin

Before you start this tutorial:

Step 1: Configure your local environment

In this phase, an administrator of your organization provisions access to a class of database clients by creating a set of credentials and propagating them to Vault.
  1. Set your CockroachDB cluster credentials and other configuration information as environment variables using the information you gathered previously.
  2. Construct a database connection URL for your CockroachDB CLI to connect to the cluster
  3. Execute a SQL statement to test your connection.
  4. Set your Vault target and the admin Vault namespace. You can fetch your target URL and generate a token from the HashiCorp Vault console, under the Access Vault tab.
  5. Authenticate to your Vault, providing the admin token when prompted:
  6. Enable the Vault database secrets engine
For more information on using the Vault Secrets CLI, refer to Vault’s documentation.

Step 2: Connect Vault to your cluster

In this step, you save your CockroachDB credentials in Vault so that it can perform administrative tasks on the cluster.
  1. Modify the $VAULT_TLS_OPTS environment variable you created earlier to skip TLS server authentication. The Vault server cannot use the CockroachDB cluster’s CA certificate. In this connection string, the username and password fields are Vault variables.
  2. Write the crdb-config database configuration to Vault, specifying admin credentials that will be used by Vault to create credentials for your defined role:

Step 3: Provision Dynamic Secrets

In Vault, a dynamic secret is a secret template that can be used to generate particular short-lived secrets on demand. The secret type we’ll be using is /database/role. A Vault database role does not correspond to a single role or user in SQL, but a template for creating short-lived roles or users. For a SQL role, the template is defined by its creation_statements, which are SQL statements that create the role, define its options and grant its permissions.
  1. Create a Vault database role. For example, create a role that has all privileges on the defaultdb database. In this command, db_name is the name of the the Vault database secrets engine namespace ( crdb-config in the example).
  2. Query Vault for a list of database roles, revealing the newly created role:
  3. Inspect the role:
  4. Show the list of Vault users:
  5. A Vault role is a defined template for credential pairs (SQL user/role name and password), which will be generated on demand and quickly expired. Reading a Vault role does not fetch credentials for a pre-existing SQL user, but requests that Vault create a user on demand, according to the template. Run the following command several times to generate several credential pairs:
    Notice that the validity duration is the default value of 1 hour.
  6. List the active credentials (or leases, in Vault terms) for the Vault role:
  7. Fetch the list of currently active SQL roles from the CockroachDB client:
  8. Revoke credentials by revoking a lease. A lease on a role in Vault terms corresponds to an actual credential pair for a SQL user on the CockroachDB cluster.
  9. Next, provision a Vault policy for CockroachDB client operators so that they can access the client credentials without having the admin role on the CockroachDB cluster. This policy will be used to access CockroachDB client credentials. This example grants it only the required ability to read the required credential. Vault policies are specified using HashiCorp Configuration Language (HCL). The following configuration specifies a policy of read access for the crdb-role credential:
  10. Generate an authentication token for the crdb-role Vault user.
    You can either copy the token from the output of the previous command, or capture a token with the following command (which requires the shell utility jq).

Step 4: Authenticate with Vault-provisioned credentials

This step shows how to use credentials provisioned by Vault to access a CockroachDB cluster, emulating the flow that an application engineer or application service account might use to access the database. This step does not use Vault admin credentials or CockroachDB credentials acquired outside of Vault.
  1. Authenticate to Vault using the client token:
  2. Confirm the limited permissions of the role:
  3. Read the CockroachDB credentials:
  4. Using the previous output, add the crdb-role credentials to your environment:
  5. List all the tables in database defaultdb to confirm you can connect to your CockroachDB cluster:
  6. To confirm that the credentials have been properly limited, attempt a forbidden operation. crdb-role does not have permission to list users, so try that in order to generate a permissions error:

Speed up role management operations

User/role management operations (such as and ) are . As such, they inherit the . For example, schema changes wait for concurrent using the same resources as the schema changes to complete. In the case of being modified inside a transaction, most transactions need access to the set of role memberships. Using the default settings, role modifications require schema leases to expire, which can take up to 5 minutes. If you want user/role management operations to finish more quickly, and do not care whether concurrent transactions will immediately see the side effects of those operations, set the allow_role_memberships_to_change_during_transaction to true. To learn more, refer to and .