README
¶
vault-plugin-database-arangodb
A Vault plugin for ArangoDB to generate dynamic database access credentials.
Build
TODO
Installation
The Vault plugin system is documented on the Vault documentation site.
You will need to define a plugin directory using the plugin_directory configuration directive, then place the
vault-plugin-database-arangodb executable into the directory.
Sample commands for registering and starting to use the plugin:
$ SHA256=$(shasum -a 256 plugins/vault-plugin-database-arangodb | cut -d' ' -f1)
$ vault secrets enable database
$ vault write sys/plugins/catalog/database/arangodb-database-plugin sha256=$SHA256 \
command=vault-plugin-database-arangodb
Prior to initializing the plugin, ensure that you have created an administration account in ArangoDB. Vault will use the user specified here to create/update/revoke database credentials. That user must have the appropriate permissions to perform actions upon other database users.
Usage
Plugin initialization:
$ vault write database/config/arangodb plugin_name="arangodb-database-plugin" \
connection_url="http://localhost:8529" \
username="Administrator" \
password="password" \
allowed_roles="my_role"
Dynamic Role Creation
Configure a role with the requested collection/database grants:
$ vault write database/roles/my-role \
db_name=arangodb \
creation_statements='{"collection_grants": [{"db": "my-database", "access": "rw"}]}' \
default_ttl="1m" \
max_ttl="24h"
To retrieve the credentials for the dynamic accounts
$ vault read database/creds/my-role
Key Value
--- -----
lease_id database/creds/my-role/YlgApUA8o7ZxitiqfdzhF8vq
lease_duration 1m
lease_renewable true
password 078Ee-1D9o4DJirKbFim
username v-token-my-role-eUcuQXdhoDXjkpv3buTo-1620099446
Developing
You can run make dev in the root of the repo to start up a development vault server and automatically register a local build of the plugin. You will need to have a built vault binary available in your $PATH to do so.
Documentation
¶
Index ¶
- func New() (interface{}, error)
- type ArangoDB
- func (a ArangoDB) Close() error
- func (a ArangoDB) Connection(ctx context.Context) (interface{}, error)
- func (a *ArangoDB) DeleteUser(ctx context.Context, req dbplugin.DeleteUserRequest) (dbplugin.DeleteUserResponse, error)
- func (a *ArangoDB) Initialize(ctx context.Context, req dbplugin.InitializeRequest) (dbplugin.InitializeResponse, error)
- func (a *ArangoDB) NewUser(ctx context.Context, req dbplugin.NewUserRequest) (dbplugin.NewUserResponse, error)
- func (a *ArangoDB) Type() (string, error)
- func (a *ArangoDB) UpdateUser(ctx context.Context, req dbplugin.UpdateUserRequest) (dbplugin.UpdateUserResponse, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type ArangoDB ¶
type ArangoDB struct {
// contains filtered or unexported fields
}
ArangoDB is an implementation of Database interface
func (ArangoDB) Connection ¶
Connection creates a database connection
func (*ArangoDB) DeleteUser ¶
func (a *ArangoDB) DeleteUser(ctx context.Context, req dbplugin.DeleteUserRequest) (dbplugin.DeleteUserResponse, error)
DeleteUser deletes a user account
func (*ArangoDB) Initialize ¶
func (a *ArangoDB) Initialize(ctx context.Context, req dbplugin.InitializeRequest) (dbplugin.InitializeResponse, error)
Initialize sets up the ArangoDB Plugin
func (*ArangoDB) NewUser ¶
func (a *ArangoDB) NewUser(ctx context.Context, req dbplugin.NewUserRequest) (dbplugin.NewUserResponse, error)
NewUser creates a new user account
func (*ArangoDB) UpdateUser ¶
func (a *ArangoDB) UpdateUser(ctx context.Context, req dbplugin.UpdateUserRequest) (dbplugin.UpdateUserResponse, error)
UpdateUser updates a user's password
Source Files
Directories