25 April,2022 by Tom Collins
-The Hashicorp database secrets engine (database secrets engine) supports a plugin for SQL Server
-It supports root credential rotation, dynamic roles , static roles , username customization
-Vault needs to be configured a user that at minimum :
-a vault user must have privileges to create logins and manage processes e/g security admin and processadmin
- vault user can use Windows Authentication if necessary
- user must have privileges to create database users , grant permissions in the Vault managed databases e/g db_accessadmin , db_securityadmin
- Create a vault role mapping a name in vault to a SQL Statement
$ vault write database/roles/my-role \ db_name=my-mssql-database \ creation_statements="CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';\ CREATE USER [{{name}}] FOR LOGIN [{{name}}];\ GRANT SELECT ON SCHEMA::dbo TO [{{name}}];" \ default_ttl="1h" \ max_ttl="24h" Success! Data written to: database/roles/my-role
Note: Hashicorp Vault supports AWS RDS but AWS RDS sql server does not support "sysadmin" role. By default the sysadmin role is used during the revoking step. Workaround is to add custom revocation statements
There are also other configurable options , read more on : MSSQL database plugin API
Some added information on background reading for Hashicorp :
https://learn.hashicorp.com/tutorials/vault/database-creds-rotation
https://learn.hashicorp.com/collections/vault/db-credentials
https://www.hashicorp.com/blog/enabling-transparent-data-encryption-for-microsoft-sql-with-vault
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Posted by: |