A new Couchbase secrets engine is available for HashiCorp Vault.
We are excited to announce the release of the Couchbase Secrets Engine for HashiCorp Vault. The secrets engine is packaged as part of the general database secrets engine and supports root credential rotation, dynamic and static roles.
The Couchbase secrets engine was originally created by Francis Hitchens (GitHub, LinkedIn), who did the initial development work before collaborating with both the Couchbase and Vault engineering teams. We would like to thank Francis for the amazing contribution to the HashiCorp Vault open-source ecosystem!
HashiCorp Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log.
Today most organizations are utilizing static secrets. These are defined ahead of time and shared between many clients. A dynamic secret is generated on demand and is unique to a client. Vault associates each dynamic secret with a lease and automatically destroys the credentials when the lease expires. By leveraging just in time ephemeral credentials, organizations are able to dramatically reduce the blast radius in case of credential leakage. Vault takes over the operational burden of managing credential lifecycle by renewing or revoking credentials as needed.
Couchbase is an open-source, distributed multi-model NoSQL document-oriented database. It exposes a scale-out, key-value store with managed cache for extremely fast data operations, as well as purpose-built indexers for efficient SQL-like queries. Enterprises adopt NoSQL databases because they store information in JSON documents instead of columns and rows used by traditional RDMSs. In the world of mobile and cloud applications, Couchbase (and other NoSQL DBs) provide greater agility when it comes to development and the database can operate at a greater scale.
As we mentioned at the top of this post, the database secrets engine supports static and dynamic roles as well as root credential rotation. For both static and dynamic roles, the Couchbase secrets engine supports the setting of default password policies so the generated passwords will meet an organization's password requirements.
$ vault write database/static-roles/my-static-role \
db_name="my-couchbase-database" \
username="my-existing-couchbase-user" \
rotation_period=5m
$ vault read database/creds/my-dynamic-role
Key Value
--- -----
lease_id database/creds/my-dynamic-role/wiLNQjtcvCOT1VnN3qnUJnBz
lease_duration 5m
lease_renewable true
password mhyM-Gs7IpmOPnSqXEDe
username v-root-my-dynamic-role-eXnVr4gm55dpM1EVgTYz-1596815027
The Couchbase Secrets Engine is packaged as a Database Secrets Engine Plugin. This plugin is available with all versions of Vault. The step-by-step instructions on how to use the secrets engine are available in the Vault documentation.
Learn how to use the Prometheus Operator with the new Vault Secrets Operator for Kubernetes to monitor secrets in a Grafana dashboard.
Learn how to build a secure infrastructure as code workflow with Terraform Cloud dynamic provider credentials, Microsoft Defender for Cloud, and HCP Vault.
The HashiCorp Vault partner ecosystem continues to show strong growth with the addition of more than a dozen new Vault integrations.