2. Temporary Security Credentials
• shell script 또는 config 안에 username, password 필요한 경우
• 개발팀에서 운영 DB서버에 접속하여 몇가지 확인하고 싶을 경우
• 단발성 계정 생성 및 삭제가 빈번하게 일어날 경우
• GDPR 처럼 보안규정상 password expired 가 필요한 경우
PGDay.Seoul 2019 2
10. Dynamically Securing Databases using Vault
10PGDay.Seoul 2019
Security Team
Define secret
policies
PostgreSQL
APPs
username : root
password : password
Rotate the root
credentials
username : root
password : newpassword
Create DB credentials
username : token-a6c161c…
password : ee1a06db-9d…
App gets unique set of DB
Credentials to connect
Read / Write from DB
1
1
2
2
3
4
11. PotgreSQL Secrets Engine
$ export VAULT_ADDR="http://127.0.0.1:8200"
$ export VAULT_TOKEN="vault"
$ vault secrets enable postgresql
# dba admin / superuser
$ vault write postgresql/config/connection
connection_url="postgresql://root:root@172.16.100.1:5432/postgres?sslmode=disable"
# create user and role
$ vault write postgresql/roles/readonly
sql="CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";"
# get credential
$ vault read postgresql/creds/readonly
PGDay.Seoul 2019 11
2
1
1
2
3
no policies
get token
connect
create credential
get credential