A simple guide to Hashicorp and SQL Server Secrets Engine

25 April,2022 by Tom Collins

-The Hashicorp database secrets engine (database secrets engine) supports a plugin for SQL Server 

-It supports root credential rotation, dynamic roles , static roles , username customization 

-Vault needs to be configured a user that at minimum :

    -a vault user must have privileges to create logins and manage processes e/g security admin and processadmin

                  - vault user can use Windows Authentication if necessary

    - user must have privileges to create database users , grant permissions in the Vault managed databases e/g db_accessadmin , db_securityadmin

    - Create a vault role mapping a name in vault to a SQL Statement 

 

$ vault write database/roles/my-role \
    db_name=my-mssql-database \
    creation_statements="CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';\
        CREATE USER [{{name}}] FOR LOGIN [{{name}}];\
        GRANT SELECT ON SCHEMA::dbo TO [{{name}}];" \
    default_ttl="1h" \
    max_ttl="24h"
Success! Data written to: database/roles/my-role

Note: Hashicorp Vault supports AWS RDS but AWS RDS sql server does not support "sysadmin" role. By default the sysadmin role  is used during the revoking step. Workaround is to add custom revocation statements 

There are also other configurable options , read more on : MSSQL database plugin API

 


Author: Tom Collins (http://www.sqlserver-dba.com)


Share:

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment on A simple guide to Hashicorp and SQL Server Secrets Engine


sqlserver-dba.com | SQL Server Performance Tuning | SQL Server DBA:Everything | FAQ | Contact|Copyright & Disclaimer