This is a custom HashiCorp Vault plugin created for learning and experimentation purposes.
This plugin demonstrates how to build a custom secrets engine for HashiCorp Vault that integrates with PostgreSQL databases. It provides dynamic credential generation and management for PostgreSQL databases.
- Dynamic Database Credentials: Generate temporary PostgreSQL users with configurable permissions
- Role-based Access: Define roles with specific SQL creation statements and TTL policies
- Credential Management: Automatic credential lifecycle management with configurable TTLs
- RESTful API: Standard Vault API endpoints for configuration and credential operations
vault-custom-plugin/
├── main.go # Plugin entry point and Vault integration
├── backend.go # Backend implementation with embedded framework
├── client.go # PostgreSQL client implementation
├── path_config.go # Configuration endpoint handlers (/config)
├── path_roles.go # Role management endpoints (/roles/*)
├── path_creds.go # Credential generation endpoints (/creds/*)
├── go.mod # Go module dependencies
├── go.sum # Dependency checksums
└── README.md # This file
PUT /config- Configure database connectionGET /config- Retrieve current configurationDELETE /config- Remove configuration
PUT /roles/{name}- Create or update a roleGET /roles/{name}- Read role configurationDELETE /roles/{name}- Delete a roleLIST /roles/- List all roles
GET /creds/{role}- Generate credentials for a role
vault write database/config/postgresql \
connection_url="postgresql://username:password@localhost:5432/mydb?sslmode=disable"vault write database/roles/readonly \
creation_statements="CREATE USER '{{name}}' WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{name}}';" \
default_ttl=3600 \
max_ttl=7200vault read database/creds/readonly- Go 1.19+
- PostgreSQL database for testing
- HashiCorp Vault (for testing)
go build -o vault-postgres-plugingo test ./...
TODO: Add tests