Add documentation for new rootless password rotation workflow for DB Static Roles #28374
Conversation
github-actions
bot
added
the
hashicorp-contributed-pr
vinay-gopalan
added
pr/no-changelog
pr/no-milestone
docs
and removed
hashicorp-contributed-pr
|
CI Results: |
|
Build Results: |
VioletHynes
added
the
hashicorp-contributed-pr
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
| @@ -534,6 +534,11 @@ this in order to know the password. | |||
| - `username` `(string: <required>)` – Specifies the database username that this | |||
| Vault role corresponds to. | |||
|
|
|||
| - `self_managed_password` `(string)` – <EnterpriseAlert product="vault" inline /> | |||
There was a problem hiding this comment.
Sorry to keep nitpicking this PR, but given we don't have plans to add this to any other DBs anytime soon should we move this to the postgres API specific page?
We could do something similar to how we extend the connection config...
## Create static role
In addition to the parameters defined by the Database backend's
[Create static role](/vault/api-docs/secret/databases#create-static-role)
endpoint, this plugin has a number of parameters to further configure a static role.
- `self_managed_password` `(string)` – ...
There was a problem hiding this comment.
Where we should document it depends on where it's defined, not how its use is limited.
-
If the field is part of the Vault API and recognized as a valid field in a request to the
/database/static-roles/:nameendpoint, we should define it here and note the limited use. -
If the field is part of the PostgreSQL plugin API and recognized as a valid field in a request to the
/database/config/<postgres_plugin_name>endpoint (or any other endpoint specific to the plugin), we should define it on the PostgreSQL page.
There was a problem hiding this comment.
Thanks for the clarification, @schavis! This field is part of the Vault API, so I opted to define it here and noted its limited use to select DBs.
| @@ -534,6 +534,11 @@ this in order to know the password. | |||
| - `username` `(string: <required>)` – Specifies the database username that this | |||
| Vault role corresponds to. | |||
|
|
|||
| - `self_managed_password` `(string)` – <EnterpriseAlert product="vault" inline /> | |||
There was a problem hiding this comment.
Where we should document it depends on where it's defined, not how its use is limited.
-
If the field is part of the Vault API and recognized as a valid field in a request to the
/database/static-roles/:nameendpoint, we should define it here and note the limited use. -
If the field is part of the PostgreSQL plugin API and recognized as a valid field in a request to the
/database/config/<postgres_plugin_name>endpoint (or any other endpoint specific to the plugin), we should define it on the PostgreSQL page.
…m:hashicorp/vault into VAULT-27880/rootless-db-pwd-rotation-docs
|
@schavis let me know if there are any other changes you think would be appropriate, thanks! 🙏🏼 |
|
@schavis can you please take another look and let us know if this PR needs anything else? Merging is blocked. |
Description
Adds documentation for the new workflow in DB Static roles that enables users to onboard DB users onto the Static Roles mechanism without having to configure a root connection.