HashiCorp Vault 动态数据库凭证与密钥轮换实践

# HashiCorp Vault 动态数据库凭证与密钥轮换实践 ## 启用与配置（示意） ``` vault secrets enable database vault write database/config/mydb \ plugin_name=postgresql-database-plugin \ allowed_roles="app" \ connection_url="postgresql://{{username}}:{{password}}@db:5432/postgres?sslmode=disable" \ username="admin" password="secret" vault write database/roles/app \ db_name=mydb \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD \"{{password}}\" VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \ default_ttl=1h max_ttl=24h ``` ## 获取动态凭证 ``` vault read database/creds/app ``` ## 轮换与吊销 ``` vault lease revoke vault write database/rotate-root/mydb ``` ## 验证要点 - 观察短期租约与自动过期 - 确认应用仅持有最小权限与短生命周期账户 ## 总结 动态凭证与轮换机制能显著降低长期静态凭证泄露风险并提升合规性。