Is your feature request related to a problem? Please describe.
We are using vault to manage existing database account. The roles are not created by vault, but vault will manage the passwords for these roles. We have add "spring-cloud-starter-vault-config" and "spring-clould-vault-config-databases" dependencies, no issue to retrieve the username/password from our springboot application. However in terms of password rotation, looks spring clould valut doesn't support auto refresh datasouce bean when password got rotated on vault end for these static database role.
So we want this can be supported.
For our vault setup, I could see following:
- In the response of calling vault database credential retrieve API, I could see following:
{
...
lease_id: "",
renewable: false,
lease_duration: 0,
data: {
...
username: xxx
password: yyy
rotation_period: 15552000,
ttl: 4274939
}
mount_type: "database"
...
}
Here the ttl tell the remaining time that the password will get rotated.
- On valut end, there is a rotation API configured so that client application can call it to rotate the password proactively before just before the password get rotated by vault based on TTL value.
The applicaitons cache the passwords in-memory to avoid repeated calls to Hashicorp vault to read the passwords. In such scenarios, if the vault rotates the password on its own, application functionality will fail as the cached password and the new one will not be in sync. Hence a controlled rotation of password via API will always gives the added assurance to the applications.
Describe the solution you'd like
The spring clould vault database library can support the database password rotation by calling the vault rotation API endpoint before it gets expired.
Describe alternatives you've considered
Since currently looks spring clould vault doesn't support rotation for static database role, we have to stop using it which is configuraiton-driven solution, and writing code to retrive password and do the rotation and bean refresh.
Additional context
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem? Please describe.
We are using vault to manage existing database account. The roles are not created by vault, but vault will manage the passwords for these roles. We have add "spring-cloud-starter-vault-config" and "spring-clould-vault-config-databases" dependencies, no issue to retrieve the username/password from our springboot application. However in terms of password rotation, looks spring clould valut doesn't support auto refresh datasouce bean when password got rotated on vault end for these static database role.
So we want this can be supported.
For our vault setup, I could see following:
{
...
lease_id: "",
renewable: false,
lease_duration: 0,
data: {
...
username: xxx
password: yyy
rotation_period: 15552000,
ttl: 4274939
}
mount_type: "database"
...
}
Here the ttl tell the remaining time that the password will get rotated.
The applicaitons cache the passwords in-memory to avoid repeated calls to Hashicorp vault to read the passwords. In such scenarios, if the vault rotates the password on its own, application functionality will fail as the cached password and the new one will not be in sync. Hence a controlled rotation of password via API will always gives the added assurance to the applications.
Describe the solution you'd like
The spring clould vault database library can support the database password rotation by calling the vault rotation API endpoint before it gets expired.
Describe alternatives you've considered
Since currently looks spring clould vault doesn't support rotation for static database role, we have to stop using it which is configuraiton-driven solution, and writing code to retrive password and do the rotation and bean refresh.
Additional context
Add any other context or screenshots about the feature request here.