From 483e9eb56239eee0d35f1db108d10cb1e6f7b393 Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
<82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Tue, 29 Aug 2023 20:49:40 -0400
Subject: [PATCH] backport of commit ce2851543f79e14611b1e8e5c997ad0fbe529dbf
(#22631)
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---
.../content/docs/secrets/databases/index.mdx | 45 ++++++++++++++-----
1 file changed, 33 insertions(+), 12 deletions(-)
diff --git a/website/content/docs/secrets/databases/index.mdx b/website/content/docs/secrets/databases/index.mdx
index 01968273a75d..f1b54906745e 100644
--- a/website/content/docs/secrets/databases/index.mdx
+++ b/website/content/docs/secrets/databases/index.mdx
@@ -28,18 +28,35 @@ become invalid within a reasonable time of the lease expiring.
### Static roles
-The database secrets engine supports the concept of "static roles", which are
-a 1-to-1 mapping of Vault Roles to usernames in a database. The current password
-for the database user is stored and automatically rotated by Vault on a
-configurable period of time. This is in contrast to dynamic secrets, where a
-unique username and password pair are generated with each credential request.
-When credentials are requested for the Role, Vault returns the current
-password for the configured database user, allowing anyone with the proper
-Vault policies to have access to the user account in the database.
-
--> Please consult the specific database documentation on the left navigation or
-the table below under [Database Capabilities](#database-capabilities) to see if
-a given database backend supports static roles.
+With dynamic secrets, Vault generates a unique username and password pair for
+each unique credential request. Vault also supports **static roles** for
+some database secrets engines. Static roles are a 1-to-1 mapping of Vault roles
+to usernames in a database. With static roles, Vault stores, and automatically
+rotates, passwords for the associated database user based on a configurable
+period of time.
+
+When a client requests credentials for the static role, Vault
+returns the current password for whichever database user is mapped to the
+requested role. With static roles, anyone with the proper Vault policies can
+access the associated user account in the database.
+
+
+ Do not manage the same root database credentials that you provide to Vault in
+ config/ with static roles.
+
+ Vault does not distinguish between standard credentials and root credentials
+ when rotating passwords. If you assign your root credentials to a static
+ role, any dynamic or static users managed by that database configuration will
+ fail after rotation because the password for config/ is no longer
+ valid.
+
+ If you need to rotate root credentials, use the
+ [Rotate root credentials](vault/api-docs/secret/database/index.mdx#rotate-root-credentials)
+ API endpoint.
+
+
+Consult the [database capabilities table](#db-capabilities-table) to determine
+if your chosen database backend supports static roles.
## Setup
@@ -134,6 +151,9 @@ As of Vault 1.6, all databases support dynamic roles and static roles. All plugi
the root user's credentials. MongoDB Atlas cannot support rotating the root user's credentials because it uses a public
and private key pair to authenticate.
+
+
+
| Database | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types |
| ---------------------------------------------------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |---------------------------|
| [Cassandra](/docs/secrets/databases/cassandra) | Yes | Yes | Yes (1.6+) | Yes (1.7+) | password |
@@ -222,6 +242,7 @@ disable_escaping="true"
```
## Tutorial
+
Refer to the following step-by-step tutorials for more information:
- [Secrets as a Service: Dynamic Secrets](https://learn.hashicorp.com/tutorials/vault/database-secrets)