How to apply your company user naming convention on Hashicorp Vault

Our world is using more and more digital services every day. A vast majority of modern systems are relying on databases to store various kind of sensitive information, from health metrics to financial reports for example. One of the biggest challenge nowadays lies to the security of this data, and especially talking about access control, as threats may came both from inside the company and also outside.

In this article, we will see how companies can apply their user naming convention to dynamic access managed by Hashicorp Vault, allowing a better audibility of users access.

Vault is can be used with a myriad of secret engines, here's the list of them supporting the username templating feature:

Secret Engine name Vault minimal version
PostgreSQL Vault 1.7
LDAP Vault 1.7
MySQL/MariaDB Vault 1.7
MSSQL Vault 1.7
MongoDB Vault 1.7
Couchbase Vault 1.7
Cassandra Vault 1.7
RabbitMQ Vault 1.8
SnowflakeDB Vault 1.8
RedShift Vault 1.8
MongoDB Atlas Vault 1.8
InfluxDB Vault 1.8
Elasticsearch Vault 1.8

By default, the database secrets engines generate usernames using a default pattern. Here's a preview:

v-token-readonly-wGLPkpDyc6AgqBfMZTD3-1604195404

One should strongly consider managing their Vault cluster using infrastructure as code. Accordingly, the following steps will use Terraform and the Terraform Vault provider.

Considering the following configuration:

resource "vault_mount" "acme_research_database" {
  path = "acme/research"
  type = "database"
}

resource "vault_database_secret_backend_connection" "production" {
  backend = vault_mount.acme_research_database.path
  name    = "production"

  verify_connection = true
  allowed_roles     = (redacted)

  postgresql {
    connection_url       = (redacted)
    max_open_connections = (redacted)
    username             = (redacted)
    password             = (redacted)
  }
}

The following naming convention should be used at "Acme" company:

[role]-[user]-[uuid]

Using username templating functions, this result to:

{{.RoleName | replace \"_\" \"-\" }}-{{.DisplayName}}-{{uuid | truncate 6}}

Now, update the Terraform configuration to apply this convention to the Postgres backend connection:

resource "vault_mount" "acme_research_database" {
  path = "acme/research"
  type = "database"
}

resource "vault_database_secret_backend_connection" "production" {
  backend = vault_mount.acme_research_database.path
  name    = "production"

  verify_connection = true
  allowed_roles     = (redacted)

  postgresql {
    connection_url       = (redacted)
    max_open_connections = (redacted)
    username             = (redacted)
    password             = (redacted)
    username_template    = "{{.RoleName | replace \"_\" \"-\" }}-{{.DisplayName}}-{{uuid | truncate 6}}"
  }
}

Here's the result:

You have successfully applied the naming convention!

Username templating | Vault | HashiCorp Developer
Learn how to set the Vault-generated username schema to meet your organization’s username conventions using the username templating.

Lenstra helps companies leverage Computer Science to enhance their Economic Performance

Contact us for a free consultancy to explore how we can work together.

Contact us