42 lines
1.1 KiB
Markdown
42 lines
1.1 KiB
Markdown
# Настраиваем PSQL на работу с динамическими секретами
|
||
|
||
1. подключаем новый метод авторизации
|
||
|
||
```bash
|
||
vault secrets enable -path=psql database
|
||
```
|
||
|
||
2. настраиваем конфиг и шаблон
|
||
|
||
```bash
|
||
vault write psql/config/test-psql \
|
||
plugin_name=postgresql-database-plugin \
|
||
allowed_roles="db1-role" \
|
||
connection_url="postgresql://{{username}}:{{password}}@psql:5432/testdb1?sslmode=disable" \
|
||
username="root" \
|
||
password="pa$$w0rd"
|
||
```
|
||
|
||
2. добавляем роль
|
||
|
||
```bash
|
||
vault write psql/roles/db1-role \
|
||
db_name=testdb1 \
|
||
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
||
GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
|
||
default_ttl="1h" \
|
||
max_ttl="24h"
|
||
```
|
||
|
||
3. пробуем получить креды
|
||
|
||
```bash
|
||
vault read psql/db-creds
|
||
```
|
||
|
||
4. пробуем под ними авторизоваться
|
||
|
||
```bash
|
||
psql -h 127.0.0.1 -d testdb1 -W -U v-root-db1-role-<hash>
|
||
```
|