Skip to content

Commit

Permalink
backport of commit 17740fc
Browse files Browse the repository at this point in the history
  • Loading branch information
jehof authored May 4, 2023
1 parent df689dc commit 2a1868a
Showing 1 changed file with 6 additions and 8 deletions.
14 changes: 6 additions & 8 deletions website/content/docs/secrets/databases/elasticdb.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ $ curl \

The contents of `data.json` in this example are:

```
```json
{
"password" : "myPa55word",
"roles" : [ "vault" ],
Expand All @@ -108,7 +108,7 @@ Now, Elasticsearch is configured and ready to be used with Vault.

1. Enable the database secrets engine if it is not already enabled:

```text
```shell-session
$ vault secrets enable database
Success! Enabled the database secrets engine at: database/
```
Expand All @@ -118,7 +118,7 @@ Now, Elasticsearch is configured and ready to be used with Vault.

1. Configure Vault with the proper plugin and connection information:

```text
```shell-session
$ vault write database/config/my-elasticsearch-database \
plugin_name="elasticsearch-database-plugin" \
allowed_roles="internally-defined-role,externally-defined-role" \
Expand All @@ -135,25 +135,23 @@ Now, Elasticsearch is configured and ready to be used with Vault.
a privilege escalation by editing a role's privileges out-of-band in
Elasticsearch:

```text
```shell-session
$ vault write database/roles/internally-defined-role \
db_name=my-elasticsearch-database \
creation_statements='{"elasticsearch_role_definition": {"indices": [{"names":["*"], "privileges":["read"]}]}}' \
default_ttl="1h" \
max_ttl="24h"
Success! Data written to: database/roles/internally-defined-role
```

1. Alternatively, configure a role that maps a name in Vault to a pre-existing
role definition in Elasticsearch:

```text
```shell-session
$ vault write database/roles/externally-defined-role \
db_name=my-elasticsearch-database \
creation_statements='{"elasticsearch_roles": ["pre-existing-role-in-elasticsearch"]}' \
default_ttl="1h" \
max_ttl="24h"
Success! Data written to: database/roles/externally-defined-role
```

## Usage
Expand All @@ -164,7 +162,7 @@ the proper permission, it can generate credentials.
1. Generate a new credential by reading from the `/creds` endpoint with the name
of the role:

```text
```shell-session
$ vault read database/creds/my-role
Key Value
--- -----
Expand Down

0 comments on commit 2a1868a

Please sign in to comment.