Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Azure Postgresql via database plugin #3304

Open
lmickh opened this issue Sep 7, 2017 · 4 comments
Open

Support for Azure Postgresql via database plugin #3304

lmickh opened this issue Sep 7, 2017 · 4 comments
Labels
ecosystem/plugin enhancement feature-request secret/database
Milestone
triaged

Comments

@lmickh
Copy link

lmickh commented Sep 7, 2017

Feature Request:
Support for Azure Database for Postgresql (i.e. hosted Postgresql)

Environment:

  • Vault Version: v0.8.1
  • Operating System/Architecture: Linux x64

Expected Behavior:
Azure Postgres requires the username in the connection be formatted as user@hostname even though, once connected, statements don't require the @hostname. It seems like it would make sense for Vault to return the string that would correctly be used as the username in the connection.

Actual Behavior:
Vault will return the username generated by plugins/helper/database/credutil that it used in the SQL statements.

Important Factoids:
Not sure if the way to solve this would be to include config options to the existing postgres plugin which will append the hostname to the username on return of CreateUser or fork the plugin for an Azure specific implementation. Another option all together might be to make it a template option along the lines of what is discussed in GH-317.

References:
Azure docs with examples of the username string:
https://docs.microsoft.com/en-us/azure/postgresql/connect-go
@lmickh
Copy link
Author

lmickh commented Sep 7, 2017
edited
Loading

It appears Azure did the same thing with MySQL as well. Not sure if you want try to account for this or just say it is a configuration issue based on the user's choice.

@jefferai jefferai added this to the not-scheduled milestone Dec 1, 2017
@jefferai
Copy link
Member

jefferai commented Dec 1, 2017

Adding to not-scheduled at the moment; a PR would help this come in sooner.

@pbernal pbernal modified the milestones: not-scheduled, triaged May 28, 2020
@ncrothe
Copy link

ncrothe commented Nov 30, 2020

Ran into this today as well. Very annoying. However, I managed to work around it and it might help whoever runs into this old issue. Not for Postgresql, but the same issue on MySQL I adjusted my connection string in vault to something like
{{username}}@<hostname>:{{password}}@tcp(<fullhostname>:3306)/

I can still get proper credentials and I was able to rotate the root password for this connection (which was what failed for me when using the full username).

@derektamsen
Copy link

derektamsen commented Jan 12, 2021
edited
Loading

I am also having this issue with Azure Postgres Server. I was able to work around the root password rotation issue by setting the vault database connection string root_rotation_statements option to:

ALTER ROLE CURRENT_USER WITH PASSWORD '{{password}}';

I assumed that vault was using the configured db connection user to update its own password. CURRENT_USER is a postgres builtin function which returns the current user. The alter role documents mention you can use name, CURRENT_USER, and SESSION_USER. This could be updated in the vault database postgres plugin as long as the string is used only for rotate-root.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ecosystem/plugin enhancement feature-request secret/database
Projects
None yet
Milestone
triaged
Development

No branches or pull requests
8 participants
@jefferai @catsby @derektamsen @pbernal @ncrothe @vishalnayak @lmickh @heatherezell