Database Dynamic Secrets

You can create dynamic secrets for a wide range of databases, including:

  • MySQL

  • MSSQL

  • PostgreSQL

  • Mongo DB

  • Oracle DB

  • Cassandra

  • Redshift

  • SAP Hana DB

  • Vertica

With dynamic secret, you can control and manage which databases, tables, schema, and what set of permission to issue for each type of application access, as well as completely manage the lifecycle of those temporary credentials which are created just in time based on short-lived TTL with flexible revocation statements.

When a client requests a dynamic secret value, the Akeyless Vault Platform connects to the database through the Gateway within your internal network and generates a temporary set of restricted access credentials.

Create a Dynamic Database Secret from the CLI

πŸ‘

Tip

We recommend using dynamic secrets with Targets. It allows saving time on the secrets' configuration for different types of access levels. Where you are not required to provide an inline connection string each time.

To create a dynamic database secret from the CLI using an existing Target, run the following command:

akeyless gateway-create-producer-mysql \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--mysql-statements "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}' PASSWORD EXPIRE INTERVAL 30 DAY;GRANT SELECT ON *.* TO '{{name}}'@'%';"
akeyless gateway-create-producer-postgresql \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--postgresql-statements 'CREATE USER "{{name}}" WITH PASSWORD "{{password}}"; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}"; GRANT CONNECT ON DATABASE postgres TO "{{name}}"; GRANT USAGE ON SCHEMA public TO "{{name}}";' \
--postgresql-revoke-statement 'REASSIGN OWNED BY "{{name}}" TO {{userHost}}; DROP OWNED BY "{{name}}"; SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename = "{{name}}"; DROP USER "{{name}}";'
akeyless gateway-create-producer-redshift \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--redshift-statements "CREATE USER '{{username}}' WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{username}}';"
--ssl "<fales|true>"
akeyless gateway-create-producer-mssql \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--mssql-creation-statements "CREATE LOGIN {{name}} WITH PASSWORD = '{{password}}';"
--mssql-revocation-statements "DROP LOGIN '{{name}}';"
akeyless gateway-create-producer-mongo \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--mongodb-roles <New User Role>
akeyless gateway-create-producer-mongo \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--mongodb-roles <New User Role>
akeyless gateway-create-producer-oracle \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--oracle-statements 'CREATE USER {{username}} IDENTIFIED BY "{{password}}"; GRANT CONNECT TO {{username}}; GRANT CREATE SESSION TO {{username}};'
akeyless gateway-create-producer-cassandra  \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--cassandra-statements "CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';"
akeyless gateway-create-producer-hanadb \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--hanadb-creation-statements "CREATE USER {{name}} PASSWORD '{{password}}';GRANT 'MONITOR ADMIN' TO {{name}};" \
--hanadb-revocation-statements "DROP USER {{name}};"
#Vertica uses similar structures to PostgreSQL and so uses the same command in Akeyless with select changes

akeyless gateway-create-producer-postgresql \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--postgresql-statements 'CREATE USER "{{name}}" WITH PASSWORD "{{password}}"; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}"; GRANT USAGE ON SCHEMA public TO "{{name}}";' \
--postgresql-revoke-statement 'DROP USER "{{name}}";'

Or using an inline connection string:

akeyless gateway-create-producer-mysql \
--name <New Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--mysql-statements "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}' PASSWORD EXPIRE INTERVAL 30 DAY;GRANT SELECT ON *.* TO '{{name}}'@'%';" \
--mysql-dbname <MySQL DB Name > \
--mysql-host <MySQL host> \
--mysql-port <MySQL port> \
--mysql-username <MySQL admin username> \
--mysql-password <MySQL admin password>
akeyless gateway-create-producer-postgresql \
--name <New Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--postgresql-db-name <PostgreSQL DB name> \
--postgresql-username <PostgreSQL DB admin username> \
--postgresql-password <PostgreSQL DBadmin password> \
--postgresql-host <PostgreSQL DB host> \
--postgresql-port <PostgreSQL DB port> \
--postgresql-statements 'CREATE USER "{{name}}" WITH PASSWORD "{{password}}"; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}"; GRANT CONNECT ON DATABASE postgres TO "{{name}}"; GRANT USAGE ON SCHEMA public TO "{{name}}";' \
--postgresql-revoke-statement 'REASSIGN OWNED BY "{{name}}" TO {{userHost}}; DROP OWNED BY "{{name}}"; SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename = "{{name}}"; DROP USER "{{name}}";'
akeyless gateway-create-producer-redshift \
--name <New Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--redshift-db-name <Redshift DB name> \
--redshift-username <Redshift DB admin username> \
--redshift-password <Redshift DB admin password> \
--redshift-host <Redshift DB host> \
--redshift-port <Redshift DB port> \
--redshift-statements "CREATE USER '{{username}}' WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{username}}';"
akeyless gateway-create-producer-mssql \
--name <New Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--mssql-creation-statements "CREATE LOGIN {{name}} WITH PASSWORD = '{{password}}';" \
--mssql-revocation-statements "DROP LOGIN '{{name}}';" \
--mssql-dbname <MSSQL Server DB Name> \
--mssql-username <MSSQL Server admin user> \
--mssql-password <MSSQL Server admin password> \
--mssql-host <MSSQL Server host name> \
--mssql-port <MSSQL Server port>
akeyless gateway-create-producer-mongo \
--name <New Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--mongodb-roles <New User Role> \
--mongodb-name <MongoDB name> \
--mongodb-username <MongoDB server admin username> \
--mongodb-password <MongoDB server admin password> \
--mongodb-host-port <host:port>
akeyless gateway-create-producer-mongo \
--name <New Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--mongodb-roles <New User Role> \
--mongodb-name <MongoDB name> \
--mongodb-atlas-project-id <MongoDB Atlas project ID> \
--mongodb-atlas-api-public-key <MongoDB Atlas API public key> \
--mongodb-atlas-api-private-key <MongoDB Atlas API private key>
akeyless gateway-create-producer-oracle \
--name <New Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--oracle-service-name <Your Oracle DB Service name > \
--oracle-username <Oracle DB admin username> \
--oracle-password <Oracle DB admin password> \
--oracle-host <Your Oracle DB host> \
--oracle-port <Oracle DB port> \
--oracle-statements 'CREATE USER {{username}} IDENTIFIED BY "{{password}}"; GRANT CONNECT TO {{username}}; GRANT CREATE SESSION TO {{username}};'
akeyless gateway-create-producer-cassandra  \
--name <path to your secret> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--cassandra-hosts <Cassandra host> \
--cassandra-port <Cassandra port> \
--cassandra-username <Cassandra username> \
--cassandra-password <password> \
--cassandra-statements "CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';"
akeyless gateway-create-producer-hanadb \
--name <New Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--hana-dbname <HanaDB name> \
--hanadb-username <HanaDB admin username> \
--hanadb-password <HanaDB admin password> \
--hanadbt-host <HanaDB host> \
--hanadb-port <HanaDB port> \
--hanadb-creation-statements "CREATE USER {{name}} PASSWORD '{{password}}';GRANT 'MONITOR ADMIN' TO {{name}};" \
--hanadb-revocation-statements "DROP USER {{name}};"
#Vertica uses similar structures to PostgreSQL and so uses the same command in Akeyless with select changes

akeyless gateway-create-producer-postgresql \
--name <New Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--postgresql-db-name <Vertica DB name> \
--postgresql-username <Vertica DB admin username> \
--postgresql-password <Vertica DBadmin password> \
--postgresql-host <Vertica DB host> \
--postgresql-port <Vertica DB port> \
--postgresql-statements 'CREATE USER "{{name}}" WITH PASSWORD "{{password}}"; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}"; GRANT USAGE ON SCHEMA public TO "{{name}}";' \
--postgresql-revoke-statement 'DROP USER "{{name}}";'

Where:

  • name: A unique name of the dynamic secret. The name can include the path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  • target-name: Full path of the Target item that stores the connection settings to your database server.

  • gateway-url: Akeyless Gateway URL.

Depending on each database, set the relevant creation and revocation statements to control and manage the level of access and roles of your temporary credentials.

For example, the PostgreSQL database provides a creation statement that controls the capabilities (create, read, update, or delete) and access levels for the databases and tables.

For RDS and cloud-managed databases, please add the following to the creation statement GRANT β€œ{{name}}” TO postgres;.

Where postgres stand for the postgresql-username variable.

πŸ“˜

MySQL 8 Dynamic Secrets

For MySQL 8, modify the default CREATE USER statement to allow native MySQL password authentication.

For example:

CREATE USER '{{name}}'@'%' IDENTIFIED WITH mysql_native_password BY '{{password}}' PASSWORD EXPIRE INTERVAL 30 DAY;GRANT SELECT ON *.* TO '{{name}}'@'%';

Inline connection strings

If you don't have a configured Database Target, you can use the command with your database target server connection string inline:

Depending on your database type, provide a privileged username that has enough permission to create and revoke users on your database with the relevant connection settings. And set the relevant creation and revocation statements to control and manage the level of access and roles of your temporary credentials.

You can find the complete list of parameters for these commands in the CLI Reference - Akeyless Producers section.

Fetch a Dynamic Database Secret value from the CLI

To fetch a dynamic database secret value from the CLI, run the following command:

akeyless get-dynamic-secret-value --name <Path to your dynamic secret>

Create a Dynamic Database Secret in the Akeyless Console

  1. Log in to the Akeyless Console, and go to Secrets & Keys > New > Dynamic Secret.

  2. Select the required database type and click Next.

  3. Define a Name of the dynamic secret, and specify the Location as a path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  4. Define the remaining parameters as follows:

  • Delete Protection: When enabled, protects the secret from accidental deletion.

  • Target mode: In this section, you can either select an existing Database Target or specify details of the DB Server explicitly.

  • User TTL: Provide a time-to-live value for a dynamic secret. When TTL expires, temporary users and roles will be removed.

  • Time Unit: Select the time unit (seconds, minutes, hours) for the TTL value.

  • Gateway: Select the Gateway through which the dynamic secret will create users.

  • Protection key: To enable Zero-Knowledge, select a key with a Customer Fragment. For more information about Zero-Knowledge, see Implement Zero Knowledge

If you selected the Explicitly specify target properties mode, click Next.

Depending on your database type, provide a privileged username that has enough permission to create users on your database with the relevant connection settings.

And set the relevant create\revoke statements to control and manage the level of access\role of your temporary credentials.

  1. Click Finish.

Fetch a Dynamic Database Secret Value from the Akeyless Console

  1. Log in to the Akeyless Console, and go to Secrets & Keys.

  2. Browse to the folder where you created a dynamic secret.

  3. Select the secret and click Get Dynamic Secret button.