A new Couchbase secrets engine is available for HashiCorp Vault.
We are excited to announce the release of the Couchbase Secrets Engine for HashiCorp Vault. The secrets engine is packaged as part of the general database secrets engine and supports root credential rotation, dynamic and static roles.
The Couchbase secrets engine was originally created by Francis Hitchens (GitHub, LinkedIn), who did the initial development work before collaborating with both the Couchbase and Vault engineering teams. We would like to thank Francis for the amazing contribution to the HashiCorp Vault open-source ecosystem!
HashiCorp Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log.
Today most organizations are utilizing static secrets. These are defined ahead of time and shared between many clients. A dynamic secret is generated on demand and is unique to a client. Vault associates each dynamic secret with a lease and automatically destroys the credentials when the lease expires. By leveraging just in time ephemeral credentials, organizations are able to dramatically reduce the blast radius in case of credential leakage. Vault takes over the operational burden of managing credential lifecycle by renewing or revoking credentials as needed.
Couchbase is an open-source, distributed multi-model NoSQL document-oriented database. It exposes a scale-out, key-value store with managed cache for extremely fast data operations, as well as purpose-built indexers for efficient SQL-like queries. Enterprises adopt NoSQL databases because they store information in JSON documents instead of columns and rows used by traditional RDMSs. In the world of mobile and cloud applications, Couchbase (and other NoSQL DBs) provide greater agility when it comes to development and the database can operate at a greater scale.
As we mentioned at the top of this post, the database secrets engine supports static and dynamic roles as well as root credential rotation. For both static and dynamic roles, the Couchbase secrets engine supports the setting of default password policies so the generated passwords will meet an organization's password requirements.
$ vault write database/static-roles/my-static-role \ db_name="my-couchbase-database" \ username="my-existing-couchbase-user" \ rotation_period=5m
$ vault read database/creds/my-dynamic-role Key Value --- ----- lease_id database/creds/my-dynamic-role/wiLNQjtcvCOT1VnN3qnUJnBz lease_duration 5m lease_renewable true password mhyM-Gs7IpmOPnSqXEDe username v-root-my-dynamic-role-eXnVr4gm55dpM1EVgTYz-1596815027
The Couchbase Secrets Engine is packaged as a Database Secrets Engine Plugin. This plugin is available with all versions of Vault. The step-by-step instructions on how to use the secrets engine are available in the Vault documentation.
A recap of HashiCorp infrastructure and security news and developments on AWS from the past year, from self-service provisioning to fighting secrets sprawl and more.
Vault benchmark is an open source tool that tests the performance of HashiCorp Vault auth methods and secrets engines.
If you’re attending AWS re:Invent in Las Vegas, Nov. 27 - Dec. 1, visit us for breakout sessions, expert talks, and product demos to learn how to accelerate your adoption of a cloud operating model.