Expected Outcome
Ability to correlate a given lease ID with the username generated via the database secret engine's dynamic credentials
Prerequisites (if applicable)
- Knowledge of the specific username you are looking to correlate to a given lease ID
Use Case
In troubleshooting Vault and the database secrets engine, it sometimes becomes necessary to correlate the activity of a given username in the database with a lease ID that is generated and managed by Vault. This can be difficult since the lease ID is not referenced within the database itself and the dynamically generated username is not referenced when looking up the lease.
Procedure
-
Using the sys/audit-hash endpoint, return the HMAC-encoded value for the username you are attempting to correlate with a lease ID:
# username: input=v-root-cat-person-I3nMQB95r3BJRY
vault write sys/audit-hash/file input=v-root-cat-person-I3nMQB95r3BJRY
Key Value
--- -----
hash hmac-sha256:c6f3549e6883d6a87f78aa3e37ed477682ad965425b6c60575bf52236eba2da6
# hmac-ed username: hmac-sha256:ad65a853ee77caf3ec3c1f90e31233cd152631275d7572215887f938df56a902
-
In audit logs, filter for a read request on the <DB secrets engine path>/creds/<role name>. From that response, extract out the lease ID and the HMAC username from the data object.
tail -1 v/logs/vault0.log| jq -r '"request: \(.request.path)\noperation: \(.request.operation)\nlease_id: \(.response.secret.lease_id)\nusername: \(.response.data.username)"'
request: mysql/creds/cat-person
operation: read
lease_id: mysql/creds/cat-person/tfoSRtLlJBNh5crU0vUqcb7W
username: hmac-sha256:ad65a853ee77caf3ec3c1f90e31233cd152631275d7572215887f938df56a902
-
Compare the HMAC generated from step 1 with the output from the response in audit logs
export EXPECTED_USERNAME=hmac-sha256:ad65a853ee77caf3ec3c1f90e31233cd152631275d7572215887f938df56a902
export ACTUAL_USERNAME=$(tail -1 v/logs/vault0.log | jq -r '.response.data.username')
[ "$EXPECTED_USERNAME" = "$ACTUAL_USERNAME" ] && echo "It's a match" || echo "Not a match";
It's a match