Skip to content

Using Vault to generate short lifetime postgresql creds for Django

Notifications You must be signed in to change notification settings

night-crawler/vaultpost

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 

Repository files navigation

Inspired by https://github.com/jdelic/django-postgresql-setrole

hashicorp/vault#1857 (comment)

client.write(
    join(PG_MOUNT, 'config/connection'),
    lease='10s', lease_max='10s',
    connection_url='postgresql://'
                   'vault:azaza'
                   '@trash.force.fm:5432/postgres'
)
client.write(
    join(PG_MOUNT, 'roles', 'db-full-access'),
    sql="""
    CREATE ROLE "{{name}}"
        WITH LOGIN ENCRYPTED PASSWORD '{{password}}'
        VALID UNTIL '{{expiration}}'
        IN ROLE "force_fm" INHERIT NOCREATEROLE NOCREATEDB NOSUPERUSER NOREPLICATION NOBYPASSRLS;
    """,
    revocation_sql="""
    DROP ROLE "{{name}}";
    """
)
DATABASES = {
    'default': {
        'NAME': 'force_fm',
        'ENGINE': 'pgvault',
        'HOST': 'trash.force.fm',
        'USER': 'force_fm',  # SET ROLE USER
        'PORT': '',
        'CONN_MAX_AGE': 6000,
        'VAULT': {
            'URL': 'https://trash.force.fm:18400',
            'TOKEN': '',
            'MOUNT': 'force.fm/postgresql',
            'ROLE': 'db-full-access',
            'CERTS': (
                os.path.join(CERTS_DIR, 'client1__bundle.crt'),
                os.path.join(CERTS_DIR, 'client1.key'),
            ),
            'VERIFY': os.path.join(CERTS_DIR, 'force.fm__root_ca.crt'),
        }
    }
}

About

Using Vault to generate short lifetime postgresql creds for Django

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages