Explaining default username_template for secret engines

Avatar
Ram Parameswaran
  • Updated

Most secret engines in Vault have the capability to create dynamic credentials. As the name goes, dynamic credentials are created for a short period of time. The dynamic credential generated have usernames that follow a default template. This username template is based on the GO Template Language. Vault users who configure the Secret engines are also able to customise the username to be of a format of their choice.

However, to focus on describing various parts that make up the default username template, this document will solely focus on a postgres database example. The default username template is as below,

{{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 8) 
                          (.RoleName | truncate 8) 
                          (random 20) 
                          (unix_time) 
                          | truncate 63 }}

To expand on the placeholders used in the template,

1. DisplayName is the value of the display_name that can be found by running the command below,

vault token lookup -format=json

Below is an example of an output of the command above and marked in bold is the value used.

{
"request_id": "e183c33e-a49b-0159-4542-da413a0ce302",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"accessor": "UFsZQ6HArnhFBNY61njqKNxp",
"creation_time": 1679621749,
"creation_ttl": 2764800,
"display_name": "userpass-tester",
"entity_id": "6ad855ac-6477-195c-d659-1f5211f0ff49",
"expire_time": "2023-04-25T11:35:49.022607079+10:00",
"explicit_max_ttl": 0,
"id": "<redact>",
"issue_time": "2023-03-24T12:35:49.022609746+11:00",
"meta": {
"username": "tester"
},
"num_uses": 0,
"orphan": true,
"path": "auth/userpass/login/tester",
"policies": [
"default",
"superuser"
],
"renewable": true,
"ttl": 2750607,
"type": "service"
},
"warnings": null
}

3. RoleName is the name of the role(in bold) for which the dynamic credential is being created for. 

vault read postgres/creds/dev -format=json

4. random is a built in GO Template function that can generate random alphanumeric text

5. unix_time is a built in GO Template  function that generates the current unix timestamp (number of seconds since Jan 1 1970)

6. truncate - Built in GO Template function to trim the length of text input to the length prescribed.

7. The default username template would then generate a dynamic credential like below with the generated username in bold,

{
"request_id": "277876a6-2ab9-54ac-665d-f300e4c2c115",
"lease_id": "postgres/creds/dev/bDBlENJicQo3Qq7AL2yJ6KNB",
"lease_duration": 2764800,
"renewable": true,
"data": {
"password": "<redact>",
"username": "v-userpass-dev-QZUsHgmSYBDGctf2jVpz-1679961225"
}
}

Default username templates for some of the out of box secret engines are as listed below

  1. AWS - Here PolicyName is the name of the role created while configuring the AWS Secret Engine  
    {{ if (eq .Type "STS") }}{{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}{{ else }}{{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}{{ end }}
  2. MySQL(self hosted) - mysql-database-plugin 
    {{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 10) (.RoleName | truncate 10) (random 20) (unix_time) | truncate 32 }}
  3. MySQL RDS -  mysql-rds-database-plugin 
    {{ printf "v-%s-%s-%s" (.RoleName | truncate 4) (random 20) | truncate 16 }}
  4. MySQL Aurora - mysql-aurora-database-plugin  
    {{ printf "v-%s-%s-%s" (.RoleName | truncate 4) (random 20) | truncate 16 }}
  5. RabbitMQ -  
    {{ printf "%s-%s" (.DisplayName) (uuid) }}
  6. Cassandra -  
    {{ printf "v_%s_%s_%s_%s" (.DisplayName | truncate 15) (.RoleName | truncate 15) (random 20) (unix_time) | truncate 100 | replace "-" "_" | lowercase }}
  7. hana -  
    {{ printf "v_%s_%s_%s_%s" (.DisplayName | truncate 32) (.RoleName | truncate 20) (random 20) (unix_time) | truncate 127 | replace "-" "_" | uppercase }}
  8. influxdb -  
    {{ printf "v_%s_%s_%s_%s" (.DisplayName | truncate 15) (.RoleName | truncate 15) (random 20) (unix_time) | truncate 100 | replace "-" "_" | lowercase }}
  9. mongodb -  
    {{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 15) (.RoleName | truncate 15) (random 20) (unix_time) | replace "." "-" | truncate 100 }}
  10. mssql -  
    {{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 20) (.RoleName | truncate 20) (random 20) (unix_time) | truncate 128 }}
  11. Oracle -  
    {{ printf "V_%s_%s_%s_%s" (.DisplayName | truncate 8) (.RoleName | truncate 8) (random 20) (unix_time) | truncate 30 | uppercase | replace "-" "_" | replace "." "_" }}
  12. Couchbase -  
    V_{{.DisplayName | uppercase | truncate 64}}_{{.RoleName | uppercase | truncate 64}}_{{random 20 | uppercase}}_{{unix_time}}
  13. Snowflake -  
    {{ printf "v_%s_%s_%s_%s" (.DisplayName | truncate 32) (.RoleName | truncate 32) (random 20) (unix_time) | truncate 255 | replace "-" "_" }}
  14. kubernetes -  
    {{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 8) (.RoleName | truncate 8) (unix_time) (random 24) | truncate 62 | lowercase }}
  15. ldap -  
    v_{{.DisplayName}}_{{.RoleName}}_{{random 10}}_{{unix_time}}
  16. redshift -  
    {{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 8) (.RoleName | truncate 8) (random 20) (unix_time) | truncate 63 | lowercase }}
  17. postgres -  
    {{ printf "v-%s-%s-%s-%s" (.DisplayName | truncate 8) (.RoleName | truncate 8) (random 20) (unix_time) | truncate 63 }}

 

Articles in this section

See more

Related articles