Database Credential Rotation

The Vault database secrets engine generates credentials dynamically based on configured roles. It is able to work with any combination of different databases leveraging a plugin interface, robust built-in database types, and frameworks that enable the running of custom database types. Services that need access no longer need to hardcode credentials: they can request them from Vault and use Vault's leasing mechanism to easily roll keys, creating dynamic secrets.

• Services access databases with unique credentials, making auditing much easier.
• Vault's internal revocation system ensures that users become invalid after a set time.

Applications “ask” Vault for database credentials rather than setting them as environment variables. Administrators specify the time-to-live (TTL) for database credentials so that they are automatically revoked when no longer used.

• Each app instance can get unique credentials that don't have to be shared and are short-lived.  
• Using dynamic secrets reduces the chance they become compromised, and should that happen, individual secrets can be revoked rather than requiring global changes.

Vault's database secrets engine provides a centralized workflow to automatically manage credentials for various database systems. Every service instance gets a unique set of credentials that live only for the life of that service. This also means that abnormal access patterns can be pinpointed to a specific service instance and its credential can be revoked immediately.  

• Policies and automated tasks reduce the need for manual tasks by database administrators, making database access and updates more efficient and secure.
• Automated credential rotation maintains security and access to your information while reducing downtime.