Vault
Couchbase database plugin HTTP API
Note: This engine can use external X.509 certificates as part of TLS or signature validation. Verifying signatures against X.509 certificates that use SHA-1 is deprecated and is no longer usable without a workaround starting in Vault 1.12. See the deprecation FAQ for more information.
The Couchbase database plugin is one of the supported plugins for the database secrets engine. This plugin generates database credentials dynamically based on configured roles for the Couchbase database.
Configure connection
In addition to the parameters defined by the Database Secrets Engine, this plugin has a number of parameters to further configure a connection.
Method | Path |
---|---|
POST | /database/config/:name |
Parameters
hosts
(string: <required>)
– Specifies a set of comma-delimited Couchbase hosts to connect to. Must usecouchbase://
scheme iftls
istrue
.username
(string: <required>)
– Specifies the username for Vault to use.password
(string: <required>)
– Specifies the password corresponding to the given username.tls
(bool: false)
– Specifies whether to use TLS when connecting to Couchbase.insecure_tls
(bool: false)
– Specifies whether to skip verification of the server certificate when using TLS.base64pem
(string: "")
– Required iftls
istrue
. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.bucket_name
(string: "")
- Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.username_template
(string)
- Template describing how dynamic usernames are generated.
Default Username Template
V_{{.DisplayName | uppercase | truncate 64}}_{{.RoleName | uppercase | truncate 64}}_{{random 20 | uppercase}}_{{unix_time}}
Example Usernames:
Example | |
---|---|
DisplayName | token |
RoleName | myrolename |
Username | V_TOKEN_MYROLENAME_USZT1N4CYHAL4M0XTGX3_1614294836 |
Example | |
---|---|
DisplayName | amuchlonger_dispname |
RoleName | role-name-with-dashes |
Username | V_AMUCHLONGER_DISPNAME_ROLE-NAME-WITH-DASHES_S0T9XB0JSAB9NQZ7YJ40_1614294836 |
Sample payload
{
"plugin_name": "couchbase-database-plugin",
"hosts": "couchbase://127.0.0.1",
"username": "user",
"password": "pass",
"allowed-roles": "my-*-role"
}
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/database/config/couchbase
Statements
Statements are configured during role creation and are used by the plugin to determine what is sent to the database on user creation, renewing, and revocation. For more information on configuring roles see the Role API in the database secrets engine docs.
Parameters
The following are the statements used by this plugin. If not mentioned in this list the plugin does not support that statement type.
creation_statements
(list: [])
– Specifies a JSON string containing Couchbase RBAC roles to assign to created users. Any groups specified must already exist. Must be a single JSON string. If not provided, defaults to read-only admin.