The Akeyless Dev Hub

If you're looking for help with the only zero-trust, SaaS, unified platform for secrets management - you've come to the right place.

This is our documentation and updates center.

Documentation

Database Dynamic Secrets

You can define dynamic secrets for a wide range of databases, including:

With dynamic secrets, the Akeyless Vault Platform is responsible for creating and managing the lifecycle of the secret. When a client requests the dynamic secret value, the Akeyless Gateway connects to the database and generates a temporary set of restricted access credentials.

When you define the dynamic secret, you can specify the tables and databases clients can access, as well as the lifecycle of the credentials.

Create a Dynamic Database Secret from the CLI

Let’s create a dynamic database secret using the Akeyless CLI. If you’d prefer, see how to do this from the Akeyless Gateway instead.

The CLI command to create a dynamic database secret is:

akeyless gateway-create-producer-postgresql --gateway-url 'https:\\<Your Akeyless GW URL >' --name <path to your secret> --postgresql-host <your Psql server IP> --postgresql-db-name <Your DB name> --postgresql-password <Your user password> --postgresql-port 5432 --postgresql-username <your PostgerSQL Username> --postgresql-statements "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"
# Mongodb-server-uri should be in URI format
akeyless gateway-create-producer-mongo --gateway-url 'https:\\<Your Akeyless GW URL >' --name <path to your secret> --mongodb-server-uri <mongodb://UserNAme:[email protected]:27017/yourDB> --mongodb-name <Your Mongo DB Name>
akeyless gateway-create-producer-mysql --gateway-url 'https:\\<Your Akeyless GW URL >' --name <path to your secret> --mysql-dbname <Your MySQL DB Name > --mysql-username <UserName> --mysql-password '<Pasword>' --mysql-host <Your MySQL host>
akeyless gateway-create-producer-oracle --gateway-url 'https:\\<Your Akeyless GW URL >' --name <path to your secret> --oracle-service-name <Your Oracle DB Service name > --oracle-username <UserName> --oracle-password '<Pasword>' --oracle-host <Your Oracle DB host> --oracle-port <default 1521> --oracle-statements "CREATE USER {{username}} IDENTIFIED BY "{{password}}"; GRANT CONNECT TO {{username}}; GRANT CREATE SESSION TO {{username}};"
akeyless gateway-create-producer-cassandra  --gateway-url 'https:\\<Your Akeyless GW URL >' --name <path to your secret> --cassandra-hosts <Cassandra hostname\IP> --cassandra-username <cassandra username> --cassandra-password <password> --cassandra-statements CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';
akeyless gateway-create-producer-redshift --gateway-url 'https:\\<Your Akeyless GW URL >' --name <path to your secret> --redshift-db-name <Redshift db name> --redshift-username <Redshift Username> --redshift-password <Redshift Password> --redshift-host <Redshift server IP/Hostname> --redshift-port[=5439] --redshift-statements CREATE USER "{{username}}" WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{username}}";

📘

PostgreSQL Dynamic Secrets

The dynamic secret for a PostgreSQL database includes a creation statement that controls the capabilities (create, read, update, or delete) and access level for the databases and tables.

For RDS and cloud managed databases please add the following to the creation statement GRANT “{{name}}” TO postgres; .

Where postgres stand for the postgresql-username variable.

📘

MySQL 8 Dynamic Secrets

For MySQL 8, modify the default CREATE USER statement to allow native MySQL password authentication. For example:
CREATE USER '{{name}}'@'%' IDENTIFIED WITH mysql_native_password BY '{{password}}' PASSWORD EXPIRE INTERVAL 30 DAY;GRANT SELECT ON *.* TO '{{name}}'@'%';

Options:

-u, --gateway-url[=http://localhost:8000]   Gateway url
  -n, --name                                 *Producer name
      --postgresql-db-name                   *PostgreSQL DB name
      --postgresql-username                   PostgreSQL user
      --postgresql-password                   PostgreSQL password
      --postgresql-host[=127.0.0.1]           PostgreSQL host name
      --postgresql-port[=3306]                PostgreSQL port
      --postgresql-statements                 PostgreSQL Creation Statements
      --enc-key-name                          Encrypt producer with following key
      --user-ttl[=60m]                        User TTL
      --profile                               Use a specific profile from your akeyless/profiles/ folder
      --username                              Required only when the authentication process requires a username and password
      --password                              Required only when the authentication process requires a username and password
      --uid-token                             The universal identity token, Required only for universal_identity authentication
  -h, --help                                  display help information
      --json[=false]                          Set output format to JSON
      --no-creds-cleanup[=false]              Do not clean local temporary expired creds
-u, --gateway-url[=http://localhost:8000]   API Gateway URL (Configuration Management port)
  -n, --name                                 *Producer name
      --mongodb-server-uri                   *MongoDB server URI connection
      --mongodb-name                         *MongoDB name
      --mongodb-roles[=[]]                    MongoDB roles
      --producer-encryption-key-name          Encrypt producer with following key
      --user-ttl[=60m]                        User TTL
      --profile                               Use a specific profile from your akeyless/profiles/ folder
      --username                              Required only when the authentication process requires a username and password
      --password                              Required only when the authentication process requires a username and password
      --uid-token                             The universal identity token, Required only for universal_identity authentication
  -h, --help                                  display help information
      --json[=false]                          Set output format to JSON
      --no-creds-cleanup[=false]              Do not clean local temporary expired creds
-u, --gateway-url[=http://localhost:8000]   API Gateway URL (Configuration Management port)
  -n, --name                                 *Producer name
      --mysql-dbname                         *MySQL DB name
      --mysql-username                        MySQL user
      --mysql-password                        MySQL password
      --mysql-host[=127.0.0.1]                MySQL host name
      --mysql-port[=3306]                     MySQL port
      --mysql-statements                      MySQL Creation Statements
      --producer-encryption-key-name          Encrypt producer with following key
      --user-ttl[=60m]                        User TTL
      --db-server-certificates                the set of root certificate authorities in base64 encoding that clients use when verifying server certificates
      --db-server-name                        Server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client handshake to support virtual hosting unless it is an IP address
      --profile                               Use a specific profile from your akeyless/profiles/ folder
      --username                              Required only when the authentication process requires a username and password
      --password                              Required only when the authentication process requires a username and password
      --uid-token                             The universal identity token, Required only for universal_identity authentication
  -h, --help                                  display help information
      --json[=false]                          Set output format to JSON
      --no-creds-cleanup[=false]              Do not clean local temporary expired creds
-n, --name                                 *Producer name
  -d, --oracle-service-name                  *Oracle service name
  -u, --gateway-url[=http://localhost:8000]   API Gateway URL (Configuration Management port)
      --oracle-username                      *Oracle user
      --oracle-password                      *Oracle password
      --oracle-host[=127.0.0.1]               Oracle host name
      --oracle-port[=1521]                    Oracle port
      --oracle-statements                     Oracle Creation Statements
      --producer-encryption-key-name          Encrypt producer with following key
      --user-ttl[=60m]                        User TTL
      --db-server-certificates                the set of root certificate authorities in base64 encoding that clients use when verifying server certificates
      --db-server-name                        Server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the clients handshake to support virtual hosting unless it is an IP address
      --profile                               Use a specific profile from your akeyless/profiles/ folder
      --username                              Optional username for various authentication flows
      --password                              Optional password for various authentication flows
      --uid-token                             The universal identity token, Required only for universal_identity authentication
  -h, --help                                  display help information
      --json[=false]                          Set output format to JSON
      --no-creds-cleanup[=false]              Do not clean local temporary expired creds
-n, --name                                    *Producer name
      --target-name                           Target name
      --cassandra-hosts                       Cassandra hosts names or IP addresses, comma separated
      --cassandra-username                    Cassandra superuser user name
      --cassandra-password                    Cassandra superuser password
      --cassandra-port[=9042]                 Cassandra port
  -u, --gateway-url[=http://localhost:8000]   API Gateway URL (Configuration Management port)
      --cassandra-statements                  Cassandra Creation Statements
      --user-ttl[=60m]                        User TTL (<=60m for access token)
      --producer-encryption-key-name          Dynamic producer encryption key
      --profile                               Use a specific profile from your akeyless/profiles/ folder
      --username                              Optional username for various authentication flows
      --password                              Optional password for various authentication flows
      --uid-token                             The universal identity token, Required only for universal_identity authentication
  -h, --help                                  display help information
      --json[=false]                          Set output format to JSON
      --no-creds-cleanup[=false]              Do not clean local temporary expired creds
-n, --name                                 *Producer name
      --target-name                           Name of existing target to use in producer creation
      --redshift-db-name                      Redshift DB name
  -u, --gateway-url[=http://localhost:8000]   Gateway url
      --redshift-username                     redshiftL user
      --redshift-password                   Redshift password
      --redshift-host[=127.0.0.1]             Redshift host name
      --redshift-port[=5439]                  Redshift port
      --redshift-statements                   Redshift Creation Statements
      --enc-key-name                          Encrypt producer with following key
      --user-ttl[=60m]                        User TTL
      --profile                               Use a specific profile from your akeyless/profiles/ folder
      --username                              Optional username for various authentication flows
      --password                              Optional password for various authentication flows
      --uid-token                             The universal identity token, Required only for universal_identity authentication
  -h, --help                                  display help information
      --json[=false]                          Set output format to JSON
      --no-creds-cleanup[=false]              Do not clean local temporary expired creds

Fetch a Dynamic Database Secret Value from the CLI

The CLI command to fetch a dynamic database secret is:

akeyless get-dynamic-secret-value --name <Path to your dynamic secret>

Create a Dynamic Database Secret from the Akeyless Gateway

  1. Log in to the Akeyless Gateway, and go to Dynamic Secrets > New > DB Producer.
  1. Select the required DB Engine and complete the relevant details.

  2. Select Save.

Fetch a Dynamic Database Secret Value from the Akeyless Console

  1. Log in to the Akeyless Console, and go to Secrets & Keys.

  2. Browse to the folder in which you created the dynamic secret, then select the secret and select Get Dynamic Secret.

Updated 29 days ago

Database Dynamic Secrets


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.