You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vault has extensive support for dynamic short lived database credentials; both PostgreSQL and MySQL are supported. This would be a great addition to offer more security for OpenFGA.
There are a lot of ways to support this, direct integration would be the "nicest". It requires authenticating to Vault, requesting short-lived credentials and then recycling connections whenever the lease-time is near.
There are other methods that would "work". For example, offering a max-lifetime for datasource connections along with reading credentials from a file without caching them in memory. The max-lifetime for connections will allow the server to be configured to recycle connections much faster than the lease time granted by Vault. Vault users could then mount the credentials from Vault as a file/volume which are updated automatically by the Vault Agent. Since the credentials aren't cached in memory, but read from the file for each new connection they will always use the currently valid credentials.
EnhancementNew feature or requestCore APIRelating to the core OpenFGA service or API
1 participant
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
OpenFGA
-
Vault has extensive support for dynamic short lived database credentials; both PostgreSQL and MySQL are supported. This would be a great addition to offer more security for OpenFGA.
Relevant docs: https://developer.hashicorp.com/vault/docs/secrets/databases.
There are a lot of ways to support this, direct integration would be the "nicest". It requires authenticating to Vault, requesting short-lived credentials and then recycling connections whenever the lease-time is near.
There are other methods that would "work". For example, offering a max-lifetime for datasource connections along with reading credentials from a file without caching them in memory. The max-lifetime for connections will allow the server to be configured to recycle connections much faster than the lease time granted by Vault. Vault users could then mount the credentials from Vault as a file/volume which are updated automatically by the Vault Agent. Since the credentials aren't cached in memory, but read from the file for each new connection they will always use the currently valid credentials.
Beta Was this translation helpful? Give feedback.
All reactions