Redis ElastiCache database secrets engine
Redis ElastiCache is one of the supported plugins for the database secrets engine. This plugin generates static credentials for existing managed roles.
See the database secrets engine docs for more information about setting up the database secrets engine.
Capabilities
Plugin Name | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization |
---|---|---|---|---|
redis-elasticache-database-plugin | No | No | Yes | No |
Setup
Enable the database secrets engine if it is not already enabled:
$ vault secrets enable databaseSuccess! Enabled the database secrets engine at: database/
By default, the secrets engine will enable at the name of the engine. To enable the secrets engine at a different path, use the
-path
argument.Configure Vault with the proper plugin and connection configuration:
$ vault write database/config/my-redis-elasticache-cluster \ plugin_name="redis-elasticache-database-plugin" \ url="primary-endpoint.my-cluster.xxx.yyy.cache.amazonaws.com:6379" \ username="AKI***" \ password="ktriNYvULAWLzUmTGb***" \ allowed_roles="*"
Note: The username and password parameters are optional. If omitted, authentication falls back on the AWS credentials provider chain. Using a temporary credential stored in the proper environment variable is the preferred configuration method.
Usage
After the secrets engine is configured, write static roles to enable generating credentials.
Static roles
Configure a static role that maps a name in Vault to an existing Redis ElastiCache user.
$ vault write database/static-roles/my-static-role \ db_name="my-redis-elasticache-cluster" \ username="my-existing-redis-user" \ rotation_period=5mSuccess! Data written to: database/static-roles/my-static-role
Retrieve the credentials from the
/static-creds
endpoint:$ vault read database/static-creds/my-static-roleKey Value--- -----last_vault_rotation 2022-09-14T11:45:57.24715105-04:00password GKdS6qY-UtVAMpcD9iuurotation_period 5mttl 4m48susername my-existing-redis-user
Note: New passwords may take up-to a couple of minutes before ElastiCache has the chance to complete their configuration. It is recommended to use a retry strategy when establishing new Redis ElastiCache connections. This may prevent errors when trying to use a password that isn't yet live on the targeted ElastiCache cluster.
API
The full list of configurable options can be seen in the Redis ElastiCache Database Plugin API page.
For more information on the database secrets engine's HTTP API please see the Database Secrets Engine API page.