mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-11-28 14:11:10 +01:00
Code Issues Projects Releases Wiki Activity

docs: add multi-host connection string info to postgres secrets API docs (#16780)

Browse Source 
* Add multihost connection string information to postgres API docs

* Add note about replication manager
This commit is contained in:
Robert 2022-08-18 14:38:30 -05:00 committed by GitHub
parent 94410157d9
commit d111adf18b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 48 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
website/content/api-docs/secret/databases/postgresql.mdx
View File

@ -29,7 +29,9 @@ has a number of parameters to further configure a connection.
parameters in the following format `{{field_name}}`. Certificate authentication parameters in the following format `{{field_name}}`. Certificate authentication
can be used by setting `?sslinline=true` and giving the SSL credentials in the can be used by setting `?sslinline=true` and giving the SSL credentials in the
`sslrootcert`, `sslcert` and `sslkey` credentials. A templated connection URL `sslrootcert`, `sslcert` and `sslkey` credentials. A templated connection URL
is required when using root credential rotation. is required when using root credential rotation. This field supports both format
string types, URI and keyword/value. Both formats support multiple host connection
strings.
- `max_open_connections` `(int: 4)` - Specifies the maximum number of open - `max_open_connections` `(int: 4)` - Specifies the maximum number of open
connections to the database. connections to the database.
@ -78,7 +80,7 @@ has a number of parameters to further configure a connection.
</details> </details>
</details> </details>
### Sample Payload ### Sample Payload with URI-format Connection String
```json ```json
{ {
@ -92,6 +94,20 @@ has a number of parameters to further configure a connection.
} }
``` ```
### Sample Payload with Keyword/Value-format Connection String
```json
{
"plugin_name": "postgresql-database-plugin",
"allowed_roles": "readonly",
"connection_url": "host=localhost port=5432 user={{username}} password={{password}}",
"max_open_connections": 5,
"max_connection_lifetime": "5s",
"username": "username",
"password": "password"
}
```
### Sample Request ### Sample Request
```shell-session ```shell-session
@ -102,6 +118,30 @@ $ curl \
http://127.0.0.1:8200/v1/database/config/postgresql http://127.0.0.1:8200/v1/database/config/postgresql
``` ```
### Connection Strings with Multiple Hosts
Postgres supports multiple hosts in the connection string. An example use-case for this might be having
Postgres set up with Replication Manager. However, there are some formatting rules to consider when using
this feature. Please refer to the ["Specifying Multiple Hosts" section of the
official Postgres documentation](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING)
for more information. Below are two small examples.
#### URI-format Multi-Host String:
```json
{
"connection_url": "postgresql://{{username}}:{{password}}@hostone:5432,hosttwo:5432,hostthree:9999/postgres"
}
```
#### Keyword/Value-format Multi-Host String:
```json
{
"connection_url": "host=hostone,hosttwo,hostthree port=5432,5432,9999 user={{username}} password={{password}} dbname=postgres"
}
```
## Statements ## Statements
Statements are configured during role creation and are used by the plugin to Statements are configured during role creation and are used by the plugin to

12
website/content/docs/secrets/databases/postgresql.mdx
View File

@ -32,7 +32,7 @@ options, including SSL options, can be found in the [pgx][pgxlib] and
1. Enable the database secrets engine if it is not already enabled: 1. Enable the database secrets engine if it is not already enabled:
```text ```shell-session
$ vault secrets enable database $ vault secrets enable database
Success! Enabled the database secrets engine at: database/ Success! Enabled the database secrets engine at: database/
``` ```
@ -42,9 +42,9 @@ options, including SSL options, can be found in the [pgx][pgxlib] and
1. Configure Vault with the proper plugin and connection information: 1. Configure Vault with the proper plugin and connection information:
```text ```shell-session
$ vault write database/config/my-postgresql-database \ $ vault write database/config/my-postgresql-database \
plugin_name=postgresql-database-plugin \ plugin_name="postgresql-database-plugin" \
allowed_roles="my-role" \ allowed_roles="my-role" \
connection_url="postgresql://{{username}}:{{password}}@localhost:5432/" \ connection_url="postgresql://{{username}}:{{password}}@localhost:5432/" \
username="vaultuser" \ username="vaultuser" \
@ -54,9 +54,9 @@ options, including SSL options, can be found in the [pgx][pgxlib] and
1. Configure a role that maps a name in Vault to an SQL statement to execute to 1. Configure a role that maps a name in Vault to an SQL statement to execute to
create the database credential: create the database credential:
```text ```shell-session
$ vault write database/roles/my-role \ $ vault write database/roles/my-role \
db_name=my-postgresql-database \ db_name="my-postgresql-database" \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \ GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
default_ttl="1h" \ default_ttl="1h" \
@ -72,7 +72,7 @@ the proper permission, it can generate credentials.
1. Generate a new credential by reading from the `/creds` endpoint with the name 1. Generate a new credential by reading from the `/creds` endpoint with the name
of the role: of the role:
```text ```shell-session
$ vault read database/creds/my-role $ vault read database/creds/my-role
Key Value Key Value
--- ----- --- -----