Connecting HCP Vault Dedicated to Amazon RDS privately using Amazon VPC Lattice

In this final part of a three-part series, we show how VPC Lattice can help achieve private connectivity from HCP Vault Dedicated to resources like Amazon RDS without direct connections to the RDS VPC via VPC peering or Transit Gateway. Check out Part 1 if you would like to get an overview on the other connectivity patterns available. Alternatively, visit Part 2: Connecting Vault to RDS using Amazon VPC Lattice if you’re interested to see a demo of how Lattice can achieve private connectivity with your Vault self-managed (refers to Vault Enterprise or Vault Community Edition) deployments.

»Connecting HCP Vault Dedicated to RDS using VPC Lattice with Lattice service network endpoints

For this demo, you’ll deploy the following architecture that uses Lattice service network endpoints to connect privately from HCP Vault Dedicated to RDS. An Amazon EC2 instance is created for demonstration purposes in the endpoint VPC to test using Vault’s generated database credentials to connect to RDS over VPC Lattice. You do not need this EC2 instance in the endpoint VPC in an actual environment.

Navigate to the VPC console and choose Endpoints. View the details of the VPC endpoint of endpoint type ServiceNetwork. It has Private DNS names enabled and we see the unique DNS name for the specific RDS instance listed in the Associations tab under Private DNS. This DNS Name that begins with vpce-* is used to establish connections between HCP Vault Dedicated and RDS via the Lattice service network endpoint.

Log in to HCP Vault Dedicated and enable the database engine. From the database secret engine, create a new connection to the RDS instance using the Lattice service network VPC endpoint DNS name. The following values are used for this demo, replace the values accordingly for your environment (Once created, optionally rotate the root credentials):

• Database plugin: PostgreSQL
• Connection name: postgres
• Connection URL: postgres://{{username}}:{{password}}@<Your VPCE DNS Name from the previous step>/<Your database Name>
• Username: Your RDS Instance username
• Password: Your RDS Instance password

This successfully creates the connection. Now add a role.

Create the role with the following settings then scroll down and choose Create role.

• Role name: example
• Type of role: dynamic
• Creation statements:

CREATE ROLE "{{name}}" WITH LOGIN ENCRYPTED PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";

The role is now created. We then choose Generate credentials.

Copy the username and password.

In the AWS Console, connect to the client EC2 instance using session manager. Once the session is established, use the dynamic secret retrieved from HCP Vault Dedicated to connect to RDS. Replace the host with the VPCE DNS name, and replace <DB_NAME> with the name of the database you created. Finally, replace the username with the dynamic username from above. When prompted, enter the password retrieved from the previous step.

Run the following command to view the dynamic user that is created:

SELECT usename FROM pg_catalog.pg_user; 

That completes the process to connect Vault to RDS over VPC Lattice using the Lattice service network VPCE’s DNS name to generate dynamic credentials that can then be used by other clients to connect to the RDS.

»Learn more

This final part of the Vault with Lattice three-part series covered how to use Amazon VPC Lattice to connect HCP Vault Dedicated to RDS instances privately without needing VPC peering or Transit Gateway on the provider VPC. In the demo, we saw how we could then leverage Vault’s database secrets engine to generate dynamic credentials for access to RDS. Check out the other parts that highlight more design patterns and demos:

• Part 1: Patterns for connecting Vault to Amazon RDS using Amazon VPC Lattice
• Part 2: Connecting Vault to Amazon RDS using Amazon VPC Lattice