Skip to content

Instantly share code, notes, and snippets.

@dghadge
Created May 22, 2017 20:40
Show Gist options
  • Save dghadge/e18ca50a158adfe346343b78505f2dad to your computer and use it in GitHub Desktop.
Save dghadge/e18ca50a158adfe346343b78505f2dad to your computer and use it in GitHub Desktop.
Obfuscating MySQL passwords with Hashicorp Vault - DB Setup
$ vault mount database
$ vault write database/config/mysql plugin_name=mysql-database-plugin \
connection_url="vaultadmin:vaultpass@tcp(127.0.0.1:3306)/"
$ vault write database/roles/readonly sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON *.* TO '{{name}}'@'%';"
$ vault policy-write mysql-readonly mysql-policy.conf
--------Start : mysql-policy.conf --------------------
path "sys/*" {
policy = "deny"
}
path "database/config/mysql" {
policy = "deny"
}
path "database/roles/readonly" {
policy = "read"
capabilities = ["read"]
}
--------End : mysql-policy.conf --------------------
$ vault read mysql/roles/readonly
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment