# Dynamic Secrets

Static secrets are quite a risk for an organisation, as they tend to not change over time. This makes them more prone to attacks such as brute forcing, and increases the impact of a credential leak. There are several approaches to avoid using static credentials for systems. The most common approach is to integrate all systems with some form of identity provider, and use a native identity managed by that provider to authenticate to any system. That way one only has to worry about the leak of the credential proving the identity. This credential is then typically rotated relatively often to provide security. While this approach is great for human to machine connections, it has several drawbacks, which can be solved in a nicer way for machine to machine accesses.

First and foremost, in case of a leak, the identity credential can access all systems that it has permission to. Moreover, in many cases this solution cannot be used accross the entirety of the system landscape, because some systems might not support integrating with an identity provider, or they have no access to it due to network segmentation.

HashiCorp Vault provides a different approach. Essentially, an identity credential is still used, but instead of using this to authenticate to the systems directly, it is used to authenticate to Vault, and then request a dynamic credential for the target system. Vault then generates a unique credential for the target system and provides it to the client. This credential can then be used for a bounded period of time, before the client needs to request another credential. This has a few benefits:

- The credentials to the target systems are short-lived, reducing the impact of a leak.
- While the identity credential of the client still technically has access to all the systems it has permission to through the Vault, this accesses are controlled centrally within the Vault and logged there. Thus in case of an identity credential leak, remediation and analysis is much simpler.
- The target systems do not require any kind of integeration. Vault takes care of that integration, and supports a wide range of systems by default. Additional systems can easily be supported by integrating plugins into Vault.
- In case of network segmentation, different Vaults can be used. As the several Vaults can manage different systems, there is no issue regarding deploying several Vaults, as opposed to deploying several IdPs which need to be kept in sync or provide different sets of identities.

## PostgreSQL

For simplicity we will use PostgreSQL as a target system on which we will generate dynamic credentials. Thus we will want Vault to generate PSQL users on the fly for us.

### Starting Vault

Let us start a Vault server. This will run Vault in the background and push the logs to `/tmp/vault.log`. If at any point in time the Vault crashes, this command will need to be used again to re-launch the Vault server.

In [None]:
nohup bash -c '
  vault server -dev -dev-root-token-id=root-token -dev-listen-address="0.0.0.0:8200"
' > /tmp/vault.log 2>&1 &
echo $! > /tmp/vault.pid

### Starting PostgreSQL

Now let us start PostgreSQL:

In [None]:
docker run -d --rm --name postgresql \
    --network kind \
    -e POSTGRES_USER=root \
    -e POSTGRES_PASSWORD=root \
    -p 5432:5432 \
    postgres:17.5-alpine3.22

### Connecting

In order to verify that everything is working, let us connect to the PostgreSQL instance and create a database and populate it with some data:

In [None]:
export PGPASSWORD=root
psql -h postgresql -U root -w -c "CREATE DATABASE mydatabase;"
psql -h postgresql -U root -w -d mydatabase -c "CREATE TABLE cars (brand VARCHAR(255),model VARCHAR(255),year INT);"
psql -h postgresql -U root -w -d mydatabase -c "INSERT INTO cars (brand, model, year) VALUES ('Ford', 'Mustang', 1964), ('Fiat', '500', 1957), ('BMW', 'M1', 1978), ('Toyota', 'Celica', 1975);"

### Roles

While Vault will handle the creation of users, the permissions detemining what users are allowed to do on the database is still controlled by PostgreSQL. Thus we will create a role called `ro` which has read-only permissions on all tables. We will then tell Vault to grant that role to the users it will create to ensure they have the permissions we desire.

In [None]:
psql -h postgresql -U root -w -d mydatabase -c "CREATE ROLE \"ro\" NOINHERIT;"
psql -h postgresql -U root -w -d mydatabase -c "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"ro\";"

### Login to Vault

Let us login to Vault. We started a development version vor simplicity.

In [None]:
export VAULT_ADDR="http://127.0.0.1:8200"
vault login root-token

### Configuring Dynamic Secrets

We now have a PostgreSQL instance running at `postgresql:5432` with a superadmin account with username `root` and password `root`. This instance contains a database `mydatabase` with a table `cars`. On top of that, there is a `ro` role that allows any user with that role to read all tables.

First, we will need to enable the Vault secrets engine. This engine is called `database` and can handle much more than PostgreSQL. Let us enable it:

In [None]:
vault secrets enable database

Now let us configure the connection for Vault to know how to connect to the database. We will use the superadmin user to allow Vault to connect to the database, as it will require permissions to create users. In practice you would use a different user that has specifically only the permissions Vault requires. On top of that, we are providing a set of roles that will be allowed to use this connection. This is a list of Vault roles, which we will create later on. We will create only a single role that will use this connection, and call it `readonly`.

In [None]:
vault write database/config/postgres \
     plugin_name=postgresql-database-plugin \
     connection_url="postgresql://{{username}}:{{password}}@postgresql/mydatabase?sslmode=disable" \
     allowed_roles=readonly \
     username="root" \
     password="root"

### Creating Vault Role

We have prepared the templated SQL statements that Vault should use to generate users and grant them the `ro` role on the database. Check it out:

In [None]:
cat ./assets/dynamic-secrets/readonly.sql

Now create the role on the database. We will grant the users generated with this role a time to live (TTL) of 15 minutes by default, and a maximal TTL of 1 hour.

In [None]:
vault write database/roles/readonly \
      db_name=postgres \
      creation_statements=@assets/dynamic-secrets/readonly.sql \
      default_ttl=15m \
      max_ttl=1h

### Creating Users

You can now request a user with that role from Vault using the following command:

```sh
vault read database/creds/readonly
```

Request a couple of users:

In [None]:
# execute the command to request credentials a couple of times to get a couple of users
vault ...

### Verify Users

Now that we have created the users, these should be present on the database until they expire. This can be verified with the command below:

In [None]:
psql -h postgresql -U root -w -c "SELECT usename, valuntil FROM pg_user;"

### Connect

Use one of the users you created to connect to the database. Fill in the username and password and connect to the database to read the `cars` table we created above. This should be possible, as the users created are granted the `ro` role, which has permissions to perform this action.

In [None]:
export PGPASSWORD="<fill-in>"
psql -h postgresql -d mydatabase -U "<fill-in>" -w -c "SELECT * FROM cars;"

The `ro` role does however not grant permission to write anything to the database. Let us check that thus our users do not have the permission to add another entry into the `cars` table on the database:

In [None]:
psql -h postgresql -d mydatabase -U "<fill-in>" -w -c "INSERT INTO cars (brand, model, year) VALUES ('Fiat', 'Panda', 1980);"

### ADVANCED: Static Roles

The dynamic secrets engines for databases also provides other capabilities than generatic completely new users each time. Instead, in some cases the username needs to remain fixed, and only the password should be rotated. This is especially important when meaning is attached to the username. This, in Vault lingo, is called static roles. You can find the API documentation for these roles here: https://developer.hashicorp.com/vault/api-docs/secret/databases#create-static-role

More general documentation can be found here: https://developer.hashicorp.com/vault/docs/secrets/databases#static-roles

In this advanced section, perform the following:

1. Create a user `myuser` on the PSQL database with a password of your choosing.
2. Onboard the `myuser` user as a static role on Vault using the connection that is already configured. The password rotation should:
   - Occur every Sunday at 00:00.
   - Occur within 3 hours of of the schedule.
3. Read the credentials of the user after importing them into Vault.
4. Force a premature rotation of the static role and use the new credentials to login to PostgreSQL.

## Cleaning Up

At the end of each module, you should clean up your Vault instance. This is done by shutting it down and wiping its database to restore its state.

In [None]:
kill $(cat /tmp/vault.pid)
rm /tmp/vault.log
rm /tmp/vault.pid
docker stop postgresql