Default username_template for various secret engines

Most secret engines in Vault have the capability to create dynamic credentials. Dynamic credentials are created for a short period of time and the credential generated have usernames that follow a default template. Vault's username template is based on the GO Template Language. Vault users who configure the Secret engines can also customise the username in a format of their choice.

This document will solely focus on a PostgresSQL database for demonstration. By default the username template that's shipped with Vault when no changes have been made are:

{{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 8) 
                          (.RoleName | truncate 8) 
                          (random 20) 
                          (unix_time) 
                          | truncate 63 }}

This can be altered and expand upon subject to provided template.

1. The DisplayName (display_name) that can be found by running the command below,

vault token lookup -format=json ...token...

An example output from the above command marking display_name is as follows:

{
  "request_id": "e183c33e-a49b-0159-4542-da413a0ce302",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "accessor": "UFsZQ6HArnhFBNY61njqKNxp",
    "creation_time": 1679621749,
    "creation_ttl": 2764800,
    "display_name": "userpass-tester",
    "entity_id": "6ad855ac-6477-195c-d659-1f5211f0ff49",
    "expire_time": "2023-04-25T11:35:49.022607079+10:00",
    "explicit_max_ttl": 0,
    "id": "<redact>",
    "issue_time": "2023-03-24T12:35:49.022609746+11:00",
    "meta": {
      "username": "tester"
    },
    "num_uses": 0,
    "orphan": true,
    "path": "auth/userpass/login/tester",
    "policies": [
      "default",
      "superuser"
    ],
    "renewable": true,
    "ttl": 2750607,
    "type": "service"
  },
  "warnings": null
}

3. RoleName is the name of the role(in bold) for which the dynamic credential is being created for. 

vault read postgres/creds/dev -format=json

4. random is a built in GO Template function that can generate random alphanumeric text

5. unix_time is a built in GO Template  function that generates the current unix timestamp (number of seconds since Jan 1 1970)

6. truncate - Built in GO Template function to trim the length of text input to the length prescribed.

7. The default username template generates a dynamic credential like below with the generated username in bold,

{
  "request_id": "277876a6-2ab9-54ac-665d-f300e4c2c115",
  "lease_id": "postgres/creds/dev/bDBlENJicQo3Qq7AL2yJ6KNB",
  "lease_duration": 2764800,
  "renewable": true,
  "data": {
    "password": "<redact>",
    "username": "v-userpass-dev-QZUsHgmSYBDGctf2jVpz-1679961225"
  }
}

Default username templates for some of the out of box secret engines are as listed below

1. AWS - the PolicyName here is that of the role created when configuring the AWS Secret Engine 

   {{ if (eq .Type "STS") }}{{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}{{ else }}{{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}{{ end }}

2. MySQL(self hosted: mysql-database-plugin)

   {{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 10) (.RoleName | truncate 10) (random 20) (unix_time) | truncate 32 }}

3. MySQL RDS (mysql-rds-database-plugin)

   {{ printf "v-%s-%s-%s" (.RoleName | truncate 4) (random 20) | truncate 16 }}

4. MySQL Aurora (mysql-aurora-database-plugin)

   {{ printf "v-%s-%s-%s" (.RoleName | truncate 4) (random 20) | truncate 16 }}

5. RabbitMQ

   {{ printf "%s-%s" (.DisplayName) (uuid) }}

6. Cassandra

   {{ printf "v_%s_%s_%s_%s" (.DisplayName | truncate 15) (.RoleName | truncate 15) (random 20) (unix_time) | truncate 100 | replace "-" "_" | lowercase }}

7. Hana

   {{ printf "v_%s_%s_%s_%s" (.DisplayName | truncate 32) (.RoleName | truncate 20) (random 20) (unix_time) | truncate 127 | replace "-" "_" | uppercase }}

8. InfluxDB

   {{ printf "v_%s_%s_%s_%s" (.DisplayName | truncate 15) (.RoleName | truncate 15) (random 20) (unix_time) | truncate 100 | replace "-" "_" | lowercase }}

9. MongoDB

   {{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 15) (.RoleName | truncate 15) (random 20) (unix_time) | replace "." "-" | truncate 100 }}

10. MsSQL

    {{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 20) (.RoleName | truncate 20) (random 20) (unix_time) | truncate 128 }}

11. Oracle

    {{ printf "V_%s_%s_%s_%s" (.DisplayName | truncate 8) (.RoleName | truncate 8) (random 20) (unix_time) | truncate 30 | uppercase | replace "-" "_" | replace "." "_" }}

12. Couchbase

    V_{{.DisplayName | uppercase | truncate 64}}_{{.RoleName | uppercase | truncate 64}}_{{random 20 | uppercase}}_{{unix_time}}

13. Snowflake

    {{ printf "v_%s_%s_%s_%s" (.DisplayName | truncate 32) (.RoleName | truncate 32) (random 20) (unix_time) | truncate 255 | replace "-" "_" }}

14. Kubernetes

    {{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 8) (.RoleName | truncate 8) (unix_time) (random 24) | truncate 62 | lowercase }}

15. LDAP

    v_{{.DisplayName}}_{{.RoleName}}_{{random 10}}_{{unix_time}}

16. Redshift

    {{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 8) (.RoleName | truncate 8) (random 20) (unix_time) | truncate 63 | lowercase }}

17. PostgreSQL

    {{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 8) (.RoleName | truncate 8) (random 20) (unix_time) | truncate 63 }}
    

Additional Information

• Vault Tutorial: Username templating
• Vault Tutorial: Enable login multi factor authentication (MFA)
• Vault Tutorial: Dynamic secrets: database secrets engine
• Vault Tutorial: Database secrets engine for Microsoft SQL Server
• Vault Tutorial: Database secrets engine with MongoDB
• Vault Doc: LDAP secrets engine - Active directory (AD)