Announcing the Couchbase Secrets Engine

We are excited to announce the release of the Couchbase Secrets Engine for HashiCorp Vault. The secrets engine is packaged as part of the general database secrets engine and supports root credential rotation, dynamic and static roles.

The Couchbase secrets engine was originally created by Francis Hitchens (GitHub, LinkedIn), who did the initial development work before collaborating with both the Couchbase and Vault engineering teams. We would like to thank Francis for the amazing contribution to the HashiCorp Vault open-source ecosystem!

»What is HashiCorp Vault

HashiCorp Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log.

»Why Dynamic Secrets?

Today most organizations are utilizing static secrets. These are defined ahead of time and shared between many clients. A dynamic secret is generated on demand and is unique to a client. Vault associates each dynamic secret with a lease and automatically destroys the credentials when the lease expires. By leveraging just in time ephemeral credentials, organizations are able to dramatically reduce the blast radius in case of credential leakage. Vault takes over the operational burden of managing credential lifecycle by renewing or revoking credentials as needed.

»What is Couchbase?

Couchbase is an open-source, distributed multi-model NoSQL document-oriented database. It exposes a scale-out, key-value store with managed cache for extremely fast data operations, as well as purpose-built indexers for efficient SQL-like queries. Enterprises adopt NoSQL databases because they store information in JSON documents instead of columns and rows used by traditional RDMSs. In the world of mobile and cloud applications, Couchbase (and other NoSQL DBs) provide greater agility when it comes to development and the database can operate at a greater scale.

»The Couchbase Database Secrets Engine

As we mentioned at the top of this post, the database secrets engine supports static and dynamic roles as well as root credential rotation. For both static and dynamic roles, the Couchbase secrets engine supports the setting of default password policies so the generated passwords will meet an organization's password requirements.

• Static Roles: Static roles are a 1-to-1 mapping of Vault Roles to usernames in Couchbase. The current password for the database user is stored and automatically rotated by Vault on a configurable period of time.

$ vault write database/static-roles/my-static-role \
    db_name="my-couchbase-database" \
    username="my-existing-couchbase-user" \
    rotation_period=5m

• Dynamic Roles: For dynamic roles, operators create a role in Vault that is mapped to a Couchbase RBAC role. When a credential request comes in from a client, Vault dynamically generates a unique username and password pair in Couchbase and automatically associates it with the corresponding RBAC role. Vault returns the credentials to the client. Once the lease expires, Vault automatically deletes the user from Couchbase.

$ vault read database/creds/my-dynamic-role
Key                Value
---                -----
lease_id           database/creds/my-dynamic-role/wiLNQjtcvCOT1VnN3qnUJnBz
lease_duration     5m
lease_renewable    true
password           mhyM-Gs7IpmOPnSqXEDe
username           v-root-my-dynamic-role-eXnVr4gm55dpM1EVgTYz-1596815027

• Root Credential Rotation: Since Vault is managing the database credentials on behalf of the database administrator, it needs a set of highly privileged credentials that can create and delete users in the database system. Therefore, it is very common to give Vault a set of root** **credentials. However, these credentials are often long-lived and never change once configured on Vault. This may violate the Governance, Risk, and Compliance (GRC) policies surrounding that data stored in the database. Vault is able to rotate the root credentials stored for the Couchbase database connection. Once the root credential has been rotated, only the Vault knows the new password.

»Next Steps

The Couchbase Secrets Engine is packaged as a Database Secrets Engine Plugin. This plugin is available with all versions of Vault. The step-by-step instructions on how to use the secrets engine are available in the Vault documentation.