Configure the HashiCorp Vault

You can use the HashiCorp vault to store the database credentials for Database Monitoring configurations. Database Agent requires the database secret stored in the HashiCorp vault to establish a connection with the databases. You need to authenticate the vault to fetch the token, and thereby fetch the database secret.

Supported Databases

  • Cassandra
  • Couchbase
  • IBM DB2
  • Microsoft Azure SQL
  • Microsoft SQL Server
  • MongoDB
  • MySQL
  • Oracle
  • PostgreSQL
  • SAP HANA
  • Sybase

Connect the Database Agent with HashiCorp Vault

To establish a connection between Database Agent and HashiCorp Vault, you need the:

  • Address of the vault
  • HTTPS certificate of the vault (Optional)

Specify the address and the HTTPS certificate path of the vault while starting the Database Agent:

CODE 
-Ddbagent.hashicorp.vault.url=https://vault.dbmon.com:8200
-Ddbagent.hashicorp.vault.https.cert.path=/Users/user1/works/HashiCorpVault/vault.dbmon.com.pem
Note: Database Agent can communicate with only one vault at a time.

Configure the HashiCorp Vault

Add the following details while creating a collector.

  1. Navigate to Databases > Configuration > Collectors > Add .
  2. Select HashiCorp Vault under Database Credentials, and specify the following details:
    Field Description
    Authentication Method

    You can choose of one of the following methods:
    Secret Path Specify the path of secret in the vault. For example, database/cred/mysql-prod
    Namespace Namespace of the vault that is used for authentication and fetching the secret.
    Auth Custom Mount Point (Optional) You can specify a custom mount path for AWS and JWT based authentication. The default values are aws and jwt, respectively.

Based on the authentication method that you selected, specify the following details:

AWS IAM

Select one of the following ways to configure under Configured As:
Configured As Description
Attributes and Value
  • AWS Access Key ID (Optional): specify the AWS access key ID for STS request header signing
  • AWS Secret Access Key (Optional): specify the AWS secret access key for STS request header signing
  • AWS Region: specify the AWS Region for Security Token Service (STS) endpoint access
  • Role: specify the AWS IAM role that will be used for vault authentication. For more information about AWS IAM role, see AWS auth method.
Configuration file
  • AWS Credential File Path (Optional): specify the path of the file. If you do not specify any value, the default ~/.aws/credentials path is used.
  • AWS Profile (Optional): specify the AWS profile.
  • Role: specify the AWS IAM role that will be used for vault authentication. For more information about AWS IAM role, see AWS auth method.

TLS Certificates

  • Client Cert File Path: Specify the path of the client certificate file of the system where the Database Agent is running. The client certificate file must be in the PEM format and accessible to the Database Agent for vault authentication. For more information, seeTLS certificates auth method.
  • Client Cert Key File Path: Specify the client certificate key file path. The client certificate key file must be in PEM format and accessible to the Database Agent for vault authentication.
  • Auth Custom Mount Point:(Optional) You can specify a custom mount path. The default value is cert.

JWT

Select one of the following ways to configure under Configured As:
Configured As Description
HTTP URL
  • HTTP URL: specify the URL that returns the JWT token that will be used for authentication
  • Role: specify the role in the vault that will be used for authentication
File Path
  • File Path: specify the path of the JWT token
  • Role: specify the role in the vault that will be used for authentication
Token Value
  • Token Value: specify the JWT token in plain text
    Note: Azure authentication method is supported through OpenID Connect (OIDC). If you want to use the Azure authentication method, then specify oidc in this field.
  • Role: specify the role in the vault that will be used for authentication