Before you begin
Before you start this tutorial:- Either or . Make a note of the cluster’s name. For a cluster in CockroachDB Cloud, download the cluster’s CA certificate locally. Refer to .
- Create a SQL user and make a note of the username and password. Refer or .
- Create a Vault cluster in HashiCorp Cloud or start a development Vault cluster locally.
- .
- Install the Vault CLI.
Step 1: Configure your local environment
In this phase, an administrator of your organization provisions access to a class of database clients by creating a set of credentials and propagating them to Vault.-
Set your CockroachDB cluster credentials and other configuration information as environment variables using the information you gathered previously.
-
Construct a database connection URL for your CockroachDB CLI to connect to the cluster
-
Execute a SQL statement to test your connection.
-
Set your Vault target and the
adminVault namespace. You can fetch your target URL and generate a token from the HashiCorp Vault console, under the Access Vault tab. -
Authenticate to your Vault, providing the admin token when prompted:
-
Enable the Vault database secrets engine
Step 2: Connect Vault to your cluster
In this step, you save your CockroachDB credentials in Vault so that it can perform administrative tasks on the cluster.-
Modify the
$VAULT_TLS_OPTSenvironment variable you created earlier to skip TLS server authentication. The Vault server cannot use the CockroachDB cluster’s CA certificate. In this connection string, the username and password fields are Vault variables. -
Write the
crdb-configdatabase configuration to Vault, specifying admin credentials that will be used by Vault to create credentials for your defined role:
Step 3: Provision Dynamic Secrets
In Vault, a dynamic secret is a secret template that can be used to generate particular short-lived secrets on demand. The secret type we’ll be using is/database/role. A Vault database role does not correspond to a single role or user in SQL, but a template for creating short-lived roles or users.
For a SQL role, the template is defined by its creation_statements, which are SQL statements that create the role, define its options and grant its permissions.
-
Create a Vault database role.
For example, create a role that has all privileges on the
defaultdbdatabase. In this command,db_nameis the name of the the Vault database secrets engine namespace (crdb-configin the example). -
Query Vault for a list of database roles, revealing the newly created role:
-
Inspect the role:
-
Show the list of Vault users:
-
A Vault role is a defined template for credential pairs (SQL user/role name and password), which will be generated on demand and quickly expired. Reading a Vault role does not fetch credentials for a pre-existing SQL user, but requests that Vault create a user on demand, according to the template. Run the following command several times to generate several credential pairs:
Notice that the validity duration is the default value of 1 hour.
-
List the active credentials (or leases, in Vault terms) for the Vault role:
-
Fetch the list of currently active SQL roles from the CockroachDB client:
-
Revoke credentials by revoking a lease. A lease on a role in Vault terms corresponds to an actual credential pair for a SQL user on the CockroachDB cluster.
-
Next, provision a Vault policy for CockroachDB client operators so that they can access the client credentials without having the admin role on the CockroachDB cluster.
This policy will be used to access CockroachDB client credentials. This example grants it only the required ability to read the required credential.
Vault policies are specified using HashiCorp Configuration Language (HCL). The following configuration specifies a policy of read access for the
crdb-rolecredential: -
Generate an authentication token for the
crdb-roleVault user.You can either copy thetokenfrom the output of the previous command, or capture a token with the following command (which requires the shell utility jq).
Step 4: Authenticate with Vault-provisioned credentials
This step shows how to use credentials provisioned by Vault to access a CockroachDB cluster, emulating the flow that an application engineer or application service account might use to access the database. This step does not use Vault admin credentials or CockroachDB credentials acquired outside of Vault.-
Authenticate to Vault using the client token:
-
Confirm the limited permissions of the role:
-
Read the CockroachDB credentials:
-
Using the previous output, add the
crdb-rolecredentials to your environment: -
List all the tables in database
defaultdbto confirm you can connect to your CockroachDB cluster: -
To confirm that the credentials have been properly limited, attempt a forbidden operation.
crdb-roledoes not have permission to list users, so try that in order to generate a permissions error:
Speed up role management operations
User/role management operations (such as and ) are . As such, they inherit the . For example, schema changes wait for concurrent using the same resources as the schema changes to complete. In the case of being modified inside a transaction, most transactions need access to the set of role memberships. Using the default settings, role modifications require schema leases to expire, which can take up to 5 minutes. If you want user/role management operations to finish more quickly, and do not care whether concurrent transactions will immediately see the side effects of those operations, set theallow_role_memberships_to_change_during_transaction to true. To learn more, refer to and .
