@@ -158,69 +158,74 @@ you will need to enable ipc_lock capabilities for the plugin binary.
158158
159159 See the [ Commands] ( /vault/docs/commands#files ) docs for more details.
160160
161- ### Rootless Configuration and Password Rotation for Static Roles
161+ ### Rootless configuration and password rotation for static roles
162162
163- < EnterpriseAlert product = " vault " />
163+ @ include 'alerts/enterprise-only.mdx'
164164
165- The Oracle database plugin supports using Static Roles and its password rotation mechanisms with a Rootless
166- DB connection configuration. In this workflow, a static DB user can be onboarded onto Vault's static role rotation
167- mechanism without the need of privileged root accounts to configure the connection. Instead of using a single root
168- connection, multiple dedicated connections to the DB are made for each static role. This workflow does not support
169- dynamic roles/credentials.
165+ The Oracle database plugin supports static roles (including password rotation)
166+ with a rootless DB connection configuration.
170167
171- ~ > Note: It is ** highly recommended** that the DB users being onboarded as static roles
172- have the minimum set of privileges. Each static role will open a new connection into the DB.
173- Granting minimum privileges to the DB users being onboarded ensures that multiple
174- highly-privileged connections to an external system are not being made.
168+ With a rootless configuration you can onboard static DB users and use static
169+ role rotation through Vault without requiring privileged root accounts for
170+ connection configuration. Instead of using a single root connection, each static
171+ role has multiple dedicated connections to the database. We highly recommend
172+ onboarding database users as static roles with the minimum set of privileges
173+ possible. Each static role opens a new connection into the database and granting
174+ minimum privileges helps Vault avoid creating multiple, highly-privileged
175+ connections to an external system.
175176
176- ~ > Note: Out-of-band password rotations will cause Vault to be out of sync with the state of
177- the DB user, and will require manually updating the user's password in the external Oracle
178- DB in order to resolve any errors encountered during rotation.
177+ With rootless connections, Vault can become out of sync with the database user
178+ if out-of-band password rotations occur. To resolve the associated rotation
179+ errors, you need to manually update the password in your external Oracle
180+ database.
179181
182+ Vault does not support dynamic roles/credentials with rootless DB connections.
183+
184+ ## Setup
1801851 . Enable the database secrets engine if it is not already enabled:
181186
182- ``` shell-session
183- $ vault secrets enable database
184- Success! Enabled the database secrets engine at: database/
185- ```
187+ ``` shell-session
188+ $ vault secrets enable database
189+ Success! Enabled the database secrets engine at: database/
190+ ```
186191
187- By default, the secrets engine will enable at the name of the engine. To
188- enable the secrets engine at a different path, use the ` -path ` argument.
192+ By default, the secrets engine will enable at the name of the engine. To
193+ enable the secrets engine at a different path, use the ` -path ` argument.
189194
190- 1 . Configure connection to DB without root credentials and enable the rootless
191- workflow by setting the ` self_managed ` parameter:
195+ 1 . Configure a connection to your database without root credentials and enable
196+ the rootless workflow using the ` self_managed ` parameter. For example :
192197
193- ``` shell-session
194- $ vault write database/config/my-oracle-database \
195- plugin_name="oracle-database-plugin" \
196- allowed_roles="my-role" \
197- connection_url="{{username}}/{{password}}@//localhost:1521/database-name" \
198- self_managed=true
199- ```
198+ ``` shell-session
199+ $ vault write database/config/my-oracle-database \
200+ plugin_name="oracle-database-plugin" \
201+ allowed_roles="my-role" \
202+ connection_url="{{username}}/{{password}}@//localhost:1521/database-name" \
203+ self_managed=true
204+ ```
200205
201- 1 . Configure a static role that creates a dedicated connection to a user in the DB with
202- the ` password ` parameter:
206+ 1 . Configure a static role that creates a dedicated connection to a user in
207+ the Oracle database with the ` password ` parameter. For example :
203208
204- ``` shell-session
205- $ vault write database/static-roles/my-role \
206- db_name="my-oracle-database" \
207- username="staticuser" \
208- password="password" \
209- rotation_period="1h"
210- ```
209+ ``` shell-session
210+ $ vault write database/static-roles/my-role \
211+ db_name="my-oracle-database" \
212+ username="staticuser" \
213+ password="password" \
214+ rotation_period="1h"
215+ ```
211216
212- 1 . Read static credentials:
217+ 1 . Verify the new static credentials with ` vault read ` . For example: :
213218
214- ``` shell-session
215- $ vault read database/static-creds/my-role
216- Key Value
217- --- -----
218- last_vault_rotation 2024-09-11T14:15:13.764783-07:00
219- password XZY42BVc-UO5bMsbgxrW
220- rotation_period 1h
221- ttl 59m55s
222- username staticuser
223- ```
219+ ``` shell-session
220+ $ vault read database/static-creds/my-role
221+ Key Value
222+ --- -----
223+ last_vault_rotation 2024-09-11T14:15:13.764783-07:00
224+ password XZY42BVc-UO5bMsbgxrW
225+ rotation_period 1h
226+ ttl 59m55s
227+ username staticuser
228+ ```
224229
225230### Connect using SSL
226231
0 commit comments