From 1ea4c1c7890c8ac147171428aec140b4c1c3dc3d Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Wed, 11 Sep 2024 14:39:34 -0700 Subject: [PATCH 1/7] add documentation for new rootless password rotation workflow --- .../api-docs/secret/databases/index.mdx | 5 ++ .../api-docs/secret/databases/postgresql.mdx | 4 ++ .../docs/secrets/databases/postgresql.mdx | 64 +++++++++++++++++++ 3 files changed, 73 insertions(+) diff --git a/website/content/api-docs/secret/databases/index.mdx b/website/content/api-docs/secret/databases/index.mdx index 2373410a042c..1b5b74ca266e 100644 --- a/website/content/api-docs/secret/databases/index.mdx +++ b/website/content/api-docs/secret/databases/index.mdx @@ -534,6 +534,11 @@ this in order to know the password. - `username` `(string: )` – Specifies the database username that this Vault role corresponds to. +- `self_managed_password` `(string)` – + The password corresponding to this username in the database. Required when using + the Rootless Password Rotation workflow for static roles. Only enabled for select + DB engines. + - `db_name` `(string: )` - The name of the database connection to use for this role. diff --git a/website/content/api-docs/secret/databases/postgresql.mdx b/website/content/api-docs/secret/databases/postgresql.mdx index 009442200069..43794edca67b 100644 --- a/website/content/api-docs/secret/databases/postgresql.mdx +++ b/website/content/api-docs/secret/databases/postgresql.mdx @@ -51,6 +51,10 @@ has a number of parameters to further configure a connection. - `password` `(string: "")` - The root credential password used in the connection URL. +- `self_managed` `(boolean: "false")` - If + set, allows onboarding static roles with a rootless connection configuration. Mutually + exclusive with `username` and `password`. + - `tls_ca` `(string: "")` - The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. diff --git a/website/content/docs/secrets/databases/postgresql.mdx b/website/content/docs/secrets/databases/postgresql.mdx index e9efbb1de1c2..a5df513c7038 100644 --- a/website/content/docs/secrets/databases/postgresql.mdx +++ b/website/content/docs/secrets/databases/postgresql.mdx @@ -84,6 +84,70 @@ the proper permission, it can generate credentials. username v-vaultuse-my-role-x ``` +## Rootless Configuration and Password Rotation for Static Roles + + + +The PostgreSQL secrets engine supports using Static Roles and its password rotation mechanisms with a Rootless +DB connection configuration. In this workflow, a static DB user can be onboarded onto Vault's static role rotation +mechanism without the need of privileged root accounts to configure the connection. Instead of using a single root +connection, multiple dedicated connections to the DB are made for each static role. This workflow does not support +dynamic roles/credentials. + +~> Note: It is **highly recommended** that the DB users being onboarded as static roles +have the minimum set of privileges. Each static role will open a new connection into the DB. +Granting minimum privileges to the DB users being onboarded ensures that multiple +highly-privileged connections to an external system are not being made. + +~> Note: Out-of-band password rotations will cause Vault to be out of sync with the state of +the DB user, and will require manually updating the user's password in the external PostgreSQL +DB in order to resolve any errors encountered during rotation. + +1. Enable the database secrets engine if it is not already enabled: + + ```shell-session + $ vault secrets enable database + Success! Enabled the database secrets engine at: database/ + ``` + + By default, the secrets engine will enable at the name of the engine. To + enable the secrets engine at a different path, use the `-path` argument. + +1. Configure connection to DB without root credentials and enable the rootless + workflow by setting the `self_managed` parameter: + + ```shell-session + $ vault write database/config/my-postgresql-database \ + plugin_name="postgresql-database-plugin" \ + allowed_roles="my-role" \ + connection_url="postgresql://{{username}}:{{password}}@localhost:5432/database-name" \ + self_managed=true + ``` + +1. Configure a static role that creates a dedicated connection to a user in the DB with + the `self_managed_password` parameter: + + ```shell-session + $ vault write database/static-roles/my-static-role \ + db_name="my-postgresql-database" \ + username="staticuser" \ + self_managed_password="password" \ + rotation_period="1h" + ``` + +1. Read static credentials: + + ```shell-session + $ vault read database/static-creds/static-test + Key Value + --- ----- + last_vault_rotation 2024-09-11T14:15:13.764783-07:00 + password XZY42BVc-UO5bMsbgxrW + rotation_period 1h + ttl 59m55s + username staticuser + ``` + ## Client x509 certificate authentication This plugin supports using PostgreSQl's [x509 Client-side Certificate Authentication](https://www.postgresql.org/docs/16/libpq-ssl.html#LIBPQ-SSL-CLIENTCERT). From 515c7ce9410a2af8fd87889f9fd10cb9ffcd3cce Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Mon, 16 Sep 2024 10:45:03 -0700 Subject: [PATCH 2/7] add capabilities header --- website/content/api-docs/secret/databases/postgresql.mdx | 2 +- website/content/docs/secrets/databases/postgresql.mdx | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/website/content/api-docs/secret/databases/postgresql.mdx b/website/content/api-docs/secret/databases/postgresql.mdx index 43794edca67b..9e42ffd2b830 100644 --- a/website/content/api-docs/secret/databases/postgresql.mdx +++ b/website/content/api-docs/secret/databases/postgresql.mdx @@ -53,7 +53,7 @@ has a number of parameters to further configure a connection. - `self_managed` `(boolean: "false")` - If set, allows onboarding static roles with a rootless connection configuration. Mutually - exclusive with `username` and `password`. + exclusive with `username` and `password`. Will override `verify_connection` if set. - `tls_ca` `(string: "")` - The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. diff --git a/website/content/docs/secrets/databases/postgresql.mdx b/website/content/docs/secrets/databases/postgresql.mdx index a5df513c7038..d5b1a1c29353 100644 --- a/website/content/docs/secrets/databases/postgresql.mdx +++ b/website/content/docs/secrets/databases/postgresql.mdx @@ -24,9 +24,9 @@ options, including SSL options, can be found in the [pgx][pgxlib] and ## Capabilities -| Plugin Name | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | -| ---------------------------- | ------------------------ | ------------- | ------------ | ---------------------- | -| `postgresql-database-plugin` | Yes | Yes | Yes | Yes (1.7+) | +| Plugin Name | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Rootless Password Rotation for Static Roles | +| ---------------------------- | ------------------------ | ------------- | ------------ | ---------------------- | ------------------------------------------- | +| `postgresql-database-plugin` | Yes | Yes | Yes | Yes (1.7+) | Yes (1.18+ent) | ## Setup From c55a46520bce377a7e7cea4708781a5da3c10831 Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Mon, 16 Sep 2024 10:57:36 -0700 Subject: [PATCH 3/7] add new section to DB index capabilities --- .../api-docs/secret/databases/index.mdx | 4 ++- .../content/docs/secrets/databases/index.mdx | 34 +++++++++---------- .../docs/secrets/databases/postgresql.mdx | 6 ++-- 3 files changed, 23 insertions(+), 21 deletions(-) diff --git a/website/content/api-docs/secret/databases/index.mdx b/website/content/api-docs/secret/databases/index.mdx index 1b5b74ca266e..7218d1668ca1 100644 --- a/website/content/api-docs/secret/databases/index.mdx +++ b/website/content/api-docs/secret/databases/index.mdx @@ -537,7 +537,9 @@ this in order to know the password. - `self_managed_password` `(string)` – The password corresponding to this username in the database. Required when using the Rootless Password Rotation workflow for static roles. Only enabled for select - DB engines. + DB engines. See the + [database secrets engine capabilities](/vault/docs/secrets/databases#database-capabilities) + for details. - `db_name` `(string: )` - The name of the database connection to use for this role. diff --git a/website/content/docs/secrets/databases/index.mdx b/website/content/docs/secrets/databases/index.mdx index 223c0a531c02..1842cb9945fc 100644 --- a/website/content/docs/secrets/databases/index.mdx +++ b/website/content/docs/secrets/databases/index.mdx @@ -152,23 +152,23 @@ and private key pair to authenticate. -| Database | UI support | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types | -| ------------------------------------------------------------------- | ---------- | ------------------------ | ------------- | ------------ | ---------------------- | ---------------------------- | -| [Cassandra](/vault/docs/secrets/databases/cassandra) | No | Yes | Yes | Yes (1.6+) | Yes (1.7+) | password | -| [Couchbase](/vault/docs/secrets/databases/couchbase) | No | Yes | Yes | Yes | Yes (1.7+) | password | -| [Elasticsearch](/vault/docs/secrets/databases/elasticdb) | Yes (1.9+) | Yes | Yes | Yes (1.6+) | Yes (1.8+) | password | -| [HanaDB](/vault/docs/secrets/databases/hanadb) | No | Yes (1.6+) | Yes | Yes (1.6+) | Yes (1.12+) | password | -| [InfluxDB](/vault/docs/secrets/databases/influxdb) | No | Yes | Yes | Yes (1.6+) | Yes (1.8+) | password | -| [MongoDB](/vault/docs/secrets/databases/mongodb) | Yes (1.7+) | Yes | Yes | Yes | Yes (1.7+) | password | -| [MongoDB Atlas](/vault/docs/secrets/databases/mongodbatlas) | No | No | Yes | Yes | Yes (1.8+) | password, client_certificate | -| [MSSQL](/vault/docs/secrets/databases/mssql) | Yes (1.8+) | Yes | Yes | Yes | Yes (1.7+) | password | -| [MySQL/MariaDB](/vault/docs/secrets/databases/mysql-maria) | Yes (1.8+) | Yes | Yes | Yes | Yes (1.7+) | password, gcp_iam | -| [Oracle](/vault/docs/secrets/databases/oracle) | Yes (1.9+) | Yes | Yes | Yes | Yes (1.7+) | password | -| [PostgreSQL](/vault/docs/secrets/databases/postgresql) | Yes (1.9+) | Yes | Yes | Yes | Yes (1.7+) | password, gcp_iam | -| [Redis](/vault/docs/secrets/databases/redis) | No | Yes | Yes | Yes | No | password | -| [Redis ElastiCache](/vault/docs/secrets/databases/rediselasticache) | No | No | No | Yes | No | password | -| [Redshift](/vault/docs/secrets/databases/redshift) | No | Yes | Yes | Yes | Yes (1.8+) | password | -| [Snowflake](/vault/docs/secrets/databases/snowflake) | No | Yes | Yes | Yes | Yes (1.8+) | password, rsa_private_key | +| Database | UI support | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types | Rootless Password Rotation for Static Roles | +| ------------------------------------------------------------------- | ---------- | ------------------------ | ------------- | ------------ | ---------------------- | ---------------------------- | ------------------------------------------- | +| [Cassandra](/vault/docs/secrets/databases/cassandra) | No | Yes | Yes | Yes (1.6+) | Yes (1.7+) | password | No | +| [Couchbase](/vault/docs/secrets/databases/couchbase) | No | Yes | Yes | Yes | Yes (1.7+) | password | No | +| [Elasticsearch](/vault/docs/secrets/databases/elasticdb) | Yes (1.9+) | Yes | Yes | Yes (1.6+) | Yes (1.8+) | password | No | +| [HanaDB](/vault/docs/secrets/databases/hanadb) | No | Yes (1.6+) | Yes | Yes (1.6+) | Yes (1.12+) | password | No | +| [InfluxDB](/vault/docs/secrets/databases/influxdb) | No | Yes | Yes | Yes (1.6+) | Yes (1.8+) | password | No | +| [MongoDB](/vault/docs/secrets/databases/mongodb) | Yes (1.7+) | Yes | Yes | Yes | Yes (1.7+) | password | No | +| [MongoDB Atlas](/vault/docs/secrets/databases/mongodbatlas) | No | No | Yes | Yes | Yes (1.8+) | password, client_certificate | No | +| [MSSQL](/vault/docs/secrets/databases/mssql) | Yes (1.8+) | Yes | Yes | Yes | Yes (1.7+) | password | No | +| [MySQL/MariaDB](/vault/docs/secrets/databases/mysql-maria) | Yes (1.8+) | Yes | Yes | Yes | Yes (1.7+) | password, gcp_iam | No | +| [Oracle](/vault/docs/secrets/databases/oracle) | Yes (1.9+) | Yes | Yes | Yes | Yes (1.7+) | password | No | +| [PostgreSQL](/vault/docs/secrets/databases/postgresql) | Yes (1.9+) | Yes | Yes | Yes | Yes (1.7+) | password, gcp_iam | Yes (1.18+ent) | +| [Redis](/vault/docs/secrets/databases/redis) | No | Yes | Yes | Yes | No | password | No | +| [Redis ElastiCache](/vault/docs/secrets/databases/rediselasticache) | No | No | No | Yes | No | password | No | +| [Redshift](/vault/docs/secrets/databases/redshift) | No | Yes | Yes | Yes | Yes (1.8+) | password | No | +| [Snowflake](/vault/docs/secrets/databases/snowflake) | No | Yes | Yes | Yes | Yes (1.8+) | password, rsa_private_key | No | ## Custom plugins diff --git a/website/content/docs/secrets/databases/postgresql.mdx b/website/content/docs/secrets/databases/postgresql.mdx index d5b1a1c29353..68b5a8b3de07 100644 --- a/website/content/docs/secrets/databases/postgresql.mdx +++ b/website/content/docs/secrets/databases/postgresql.mdx @@ -24,9 +24,9 @@ options, including SSL options, can be found in the [pgx][pgxlib] and ## Capabilities -| Plugin Name | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Rootless Password Rotation for Static Roles | -| ---------------------------- | ------------------------ | ------------- | ------------ | ---------------------- | ------------------------------------------- | -| `postgresql-database-plugin` | Yes | Yes | Yes | Yes (1.7+) | Yes (1.18+ent) | +| Plugin Name | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types | Rootless Password Rotation for Static Roles | +| ---------------------------- | ------------------------ | ------------- | ------------ | ---------------------- | ---------------------------- | ------------------------------------------- | +| `postgresql-database-plugin` | Yes | Yes | Yes | Yes (1.7+) | password, gcp_iam | Yes (1.18+ent) | ## Setup From c742be92d6b025ce37d00264553092d072ec59ef Mon Sep 17 00:00:00 2001 From: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com> Date: Mon, 16 Sep 2024 10:58:44 -0700 Subject: [PATCH 4/7] Make language clearer Co-authored-by: John-Michael Faircloth --- website/content/api-docs/secret/databases/postgresql.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/api-docs/secret/databases/postgresql.mdx b/website/content/api-docs/secret/databases/postgresql.mdx index 9e42ffd2b830..9ddfece16c56 100644 --- a/website/content/api-docs/secret/databases/postgresql.mdx +++ b/website/content/api-docs/secret/databases/postgresql.mdx @@ -53,7 +53,7 @@ has a number of parameters to further configure a connection. - `self_managed` `(boolean: "false")` - If set, allows onboarding static roles with a rootless connection configuration. Mutually - exclusive with `username` and `password`. Will override `verify_connection` if set. + exclusive with `username` and `password`. If set, will force `verify_connection` to be false. - `tls_ca` `(string: "")` - The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. From 428d2cb46538b26fad6c1150bff24c03e04c9a71 Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Mon, 16 Sep 2024 11:22:05 -0700 Subject: [PATCH 5/7] revert adding to capabilities page --- .../content/docs/secrets/databases/index.mdx | 34 +++++++++---------- .../docs/secrets/databases/postgresql.mdx | 6 ++-- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/website/content/docs/secrets/databases/index.mdx b/website/content/docs/secrets/databases/index.mdx index 1842cb9945fc..223c0a531c02 100644 --- a/website/content/docs/secrets/databases/index.mdx +++ b/website/content/docs/secrets/databases/index.mdx @@ -152,23 +152,23 @@ and private key pair to authenticate. -| Database | UI support | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types | Rootless Password Rotation for Static Roles | -| ------------------------------------------------------------------- | ---------- | ------------------------ | ------------- | ------------ | ---------------------- | ---------------------------- | ------------------------------------------- | -| [Cassandra](/vault/docs/secrets/databases/cassandra) | No | Yes | Yes | Yes (1.6+) | Yes (1.7+) | password | No | -| [Couchbase](/vault/docs/secrets/databases/couchbase) | No | Yes | Yes | Yes | Yes (1.7+) | password | No | -| [Elasticsearch](/vault/docs/secrets/databases/elasticdb) | Yes (1.9+) | Yes | Yes | Yes (1.6+) | Yes (1.8+) | password | No | -| [HanaDB](/vault/docs/secrets/databases/hanadb) | No | Yes (1.6+) | Yes | Yes (1.6+) | Yes (1.12+) | password | No | -| [InfluxDB](/vault/docs/secrets/databases/influxdb) | No | Yes | Yes | Yes (1.6+) | Yes (1.8+) | password | No | -| [MongoDB](/vault/docs/secrets/databases/mongodb) | Yes (1.7+) | Yes | Yes | Yes | Yes (1.7+) | password | No | -| [MongoDB Atlas](/vault/docs/secrets/databases/mongodbatlas) | No | No | Yes | Yes | Yes (1.8+) | password, client_certificate | No | -| [MSSQL](/vault/docs/secrets/databases/mssql) | Yes (1.8+) | Yes | Yes | Yes | Yes (1.7+) | password | No | -| [MySQL/MariaDB](/vault/docs/secrets/databases/mysql-maria) | Yes (1.8+) | Yes | Yes | Yes | Yes (1.7+) | password, gcp_iam | No | -| [Oracle](/vault/docs/secrets/databases/oracle) | Yes (1.9+) | Yes | Yes | Yes | Yes (1.7+) | password | No | -| [PostgreSQL](/vault/docs/secrets/databases/postgresql) | Yes (1.9+) | Yes | Yes | Yes | Yes (1.7+) | password, gcp_iam | Yes (1.18+ent) | -| [Redis](/vault/docs/secrets/databases/redis) | No | Yes | Yes | Yes | No | password | No | -| [Redis ElastiCache](/vault/docs/secrets/databases/rediselasticache) | No | No | No | Yes | No | password | No | -| [Redshift](/vault/docs/secrets/databases/redshift) | No | Yes | Yes | Yes | Yes (1.8+) | password | No | -| [Snowflake](/vault/docs/secrets/databases/snowflake) | No | Yes | Yes | Yes | Yes (1.8+) | password, rsa_private_key | No | +| Database | UI support | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types | +| ------------------------------------------------------------------- | ---------- | ------------------------ | ------------- | ------------ | ---------------------- | ---------------------------- | +| [Cassandra](/vault/docs/secrets/databases/cassandra) | No | Yes | Yes | Yes (1.6+) | Yes (1.7+) | password | +| [Couchbase](/vault/docs/secrets/databases/couchbase) | No | Yes | Yes | Yes | Yes (1.7+) | password | +| [Elasticsearch](/vault/docs/secrets/databases/elasticdb) | Yes (1.9+) | Yes | Yes | Yes (1.6+) | Yes (1.8+) | password | +| [HanaDB](/vault/docs/secrets/databases/hanadb) | No | Yes (1.6+) | Yes | Yes (1.6+) | Yes (1.12+) | password | +| [InfluxDB](/vault/docs/secrets/databases/influxdb) | No | Yes | Yes | Yes (1.6+) | Yes (1.8+) | password | +| [MongoDB](/vault/docs/secrets/databases/mongodb) | Yes (1.7+) | Yes | Yes | Yes | Yes (1.7+) | password | +| [MongoDB Atlas](/vault/docs/secrets/databases/mongodbatlas) | No | No | Yes | Yes | Yes (1.8+) | password, client_certificate | +| [MSSQL](/vault/docs/secrets/databases/mssql) | Yes (1.8+) | Yes | Yes | Yes | Yes (1.7+) | password | +| [MySQL/MariaDB](/vault/docs/secrets/databases/mysql-maria) | Yes (1.8+) | Yes | Yes | Yes | Yes (1.7+) | password, gcp_iam | +| [Oracle](/vault/docs/secrets/databases/oracle) | Yes (1.9+) | Yes | Yes | Yes | Yes (1.7+) | password | +| [PostgreSQL](/vault/docs/secrets/databases/postgresql) | Yes (1.9+) | Yes | Yes | Yes | Yes (1.7+) | password, gcp_iam | +| [Redis](/vault/docs/secrets/databases/redis) | No | Yes | Yes | Yes | No | password | +| [Redis ElastiCache](/vault/docs/secrets/databases/rediselasticache) | No | No | No | Yes | No | password | +| [Redshift](/vault/docs/secrets/databases/redshift) | No | Yes | Yes | Yes | Yes (1.8+) | password | +| [Snowflake](/vault/docs/secrets/databases/snowflake) | No | Yes | Yes | Yes | Yes (1.8+) | password, rsa_private_key | ## Custom plugins diff --git a/website/content/docs/secrets/databases/postgresql.mdx b/website/content/docs/secrets/databases/postgresql.mdx index 68b5a8b3de07..2193ffc39953 100644 --- a/website/content/docs/secrets/databases/postgresql.mdx +++ b/website/content/docs/secrets/databases/postgresql.mdx @@ -24,9 +24,9 @@ options, including SSL options, can be found in the [pgx][pgxlib] and ## Capabilities -| Plugin Name | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types | Rootless Password Rotation for Static Roles | -| ---------------------------- | ------------------------ | ------------- | ------------ | ---------------------- | ---------------------------- | ------------------------------------------- | -| `postgresql-database-plugin` | Yes | Yes | Yes | Yes (1.7+) | password, gcp_iam | Yes (1.18+ent) | +| Plugin Name | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types | +| ---------------------------- | ------------------------ | ------------- | ------------ | ---------------------- | ---------------------------- | +| `postgresql-database-plugin` | Yes | Yes | Yes | Yes (1.7+) | password, gcp_iam | ## Setup From 14fac98ae3417c150b40513bbeeb89f2d42a0544 Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Mon, 16 Sep 2024 11:24:18 -0700 Subject: [PATCH 6/7] remove not on capabilities --- website/content/api-docs/secret/databases/index.mdx | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/website/content/api-docs/secret/databases/index.mdx b/website/content/api-docs/secret/databases/index.mdx index 7218d1668ca1..1b5b74ca266e 100644 --- a/website/content/api-docs/secret/databases/index.mdx +++ b/website/content/api-docs/secret/databases/index.mdx @@ -537,9 +537,7 @@ this in order to know the password. - `self_managed_password` `(string)` – The password corresponding to this username in the database. Required when using the Rootless Password Rotation workflow for static roles. Only enabled for select - DB engines. See the - [database secrets engine capabilities](/vault/docs/secrets/databases#database-capabilities) - for details. + DB engines. - `db_name` `(string: )` - The name of the database connection to use for this role. From e6fa0ad95757f4d8d7f0def2fc8d02ddc17e6e0e Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Mon, 23 Sep 2024 11:56:42 -0700 Subject: [PATCH 7/7] tweak language --- website/content/api-docs/secret/databases/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/content/api-docs/secret/databases/index.mdx b/website/content/api-docs/secret/databases/index.mdx index 1b5b74ca266e..e788d452ed91 100644 --- a/website/content/api-docs/secret/databases/index.mdx +++ b/website/content/api-docs/secret/databases/index.mdx @@ -535,9 +535,9 @@ this in order to know the password. Vault role corresponds to. - `self_managed_password` `(string)` – - The password corresponding to this username in the database. Required when using + The password corresponding to the username in the database. Required when using the Rootless Password Rotation workflow for static roles. Only enabled for select - DB engines. + DB engines (Postgres). - `db_name` `(string: )` - The name of the database connection to use for this role.