Use dynamic secrets and rotate database credentials

Question

Use dynamic secrets and rotate database credentials

Opened this issue 2 years ago · 0 comments

Context

The credentials that a service uses to access a database is a key point of the application security. So as to harden attack against database, a good practice is to use dynamic credentials for services to access to databases.

We wan't to implement automatic credential rotation for short time (let say daily rotation of credentials) in Voogle.

Using HachiCorp Vault database secret engine

The Hashicorp Vault solution available as an integrated service to the Squarescale platform will be used to implement dynamic credentials. Particularly the solution will rely on the database secret engine of Vault.

Tasks

Setup Vault policies and database secret engine on squarescale environment (with Squarescale team)
Implement Credentials retrieval, via Vault, for database connection/reconnection

Demo

Setup a demo of Voogle dynamic credential usage, based on Observability, logs and rotating the secrets