Vault: [database/postgres] Vault generates credentials that do not work with AWS redshift

Created on 28 Feb 2018 · 10Comments · Source: hashicorp/vault

Environment:
0.9.4

Vault Version:
Operating System/Architecture:
Ubuntu client, AWS Linux server, Redshift database

Vault Config File:

Startup Log Output:

Expected Behavior:
Generate valid users similar to currently working RDS PSql 9.6

Actual Behavior:
Generates users successfully but incorrectly returns username if contains capital letters.
Redshift is PSQL 8 and generates lower case usernames even if capital letters provided. Vault is unaware and attempts to create user 'Foo', successful, stores it as 'Foo' and tells the user that their username is 'Foo'. However redshift stores 'foo' so you cannot login directly with vault's response, and have to lower() the username.

Steps to Reproduce:

$ vault login -method=ldap username=Marc
Password (will be hidden): 
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  redact
token_accessor         redact
token_duration         8h  
token_renewable        true
token_policies         [default developers ops]
token_meta_username    Marc

$ vault read database/creds/redshift-staging    
Key                Value    
---                -----    
lease_id           database/creds/redshift-staging/1a29f9a9-f1d5-23f5-e0e4-922439d5018f    
lease_duration     10h                                                                                         
lease_renewable    true                                                                                  
password           A1a-z55wuwx4946rqps7    
username           v-ldap-Mar-redshift-s53tttr16x44s007sr4s-1519840117

$ c_redshift                                                                                            

psql: FATAL:  password authentication failed for user "v-ldap-Mar-redshift-s53tttr16x44s007sr4s-1519840117"
FATAL:  password authentication failed for user "v-ldap-Mar-redshift-s53tttr16x44s007sr4s-1519840117"

$ c_redshift #with lowercase username
psql (9.6.7, server 8.0.2)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

warehouse=> \du 
                                                    List of roles
                      Role name                      |                 Attributes                  |    Member of    
-----------------------------------------------------+---------------------------------------------+------------------
 v-ldap-mar-redshift-s53tttr16x44s007sr4s-1519840117 | Password valid until 2018-03-01 03:48:37+00 | {admin_users}

warehouse=>

bug secredatabase versio0.9.x

Source

myoung34

👍3

Most helpful comment

Can confirm the problem lies within the username not being lower-cased.

walkafwalka on 9 Aug 2019

👍2

All 10 comments

Still broken :(

andoriyu on 6 Dec 2018

@myoung34 did you ever solve this?

andoriyu on 6 Dec 2018

I use a bash script to manually lower case

myoung34 on 6 Dec 2018

@myoung34 behold the redshift plugin that works with database engine: https://github.com/andoriyu/vault-plugin-database-redshift

andoriyu on 6 Dec 2018

Can confirm the problem lies within the username not being lower-cased.

walkafwalka on 9 Aug 2019

👍2

I just forked official postgres driver and forced lowercase in it. Works
well.

On Fri, Aug 9, 2019, 8:15 AM Aaron Walker notifications@github.com wrote:

Can confirm the problem lies within the username not being lower-cased.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/hashicorp/vault/issues/4052?email_source=notifications&email_token=AABEFG6EWSI6HOJMQZVD3D3QDWC27A5CNFSM4ES4JXFKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD366ZUY#issuecomment-519957715,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AABEFG776OU6XNQC4MO5AT3QDWC27ANCNFSM4ES4JXFA
.

andoriyu on 9 Aug 2019

How did you create the plugin? Did you rebuild Vault from source or did you install it separately? I tried to use the binary created by go install but it did not work. Also, I do not see where you lower-cased the username in your code.

walkafwalka on 10 Aug 2019

I've rebuild plugin from source, not entire vault. Installed it like any
other custom plugin and it worked fine. I'll see if I can find source.

I do still the binary though.

On Sat, Aug 10, 2019, 12:21 PM Aaron Walker notifications@github.com
wrote:

How did you create the plugin? Did you rebuild Vault from source or did
you install it separately? I tried to use the binary created by go install
but it did not work. Also, I do not see where you lower-cased the username
in your code.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/hashicorp/vault/issues/4052?email_source=notifications&email_token=AABEFG247EUGCE2T6W7TXNLQD4IJ3A5CNFSM4ES4JXFKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4ATOIY#issuecomment-520173347,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AABEFG2TE3DYTQUEYYK63ETQD4IJ3ANCNFSM4ES4JXFA
.

andoriyu on 10 Aug 2019

@walkafwalka here is the source for plugin I'm running: https://github.com/andoriyu/vault-plugin-database-redshift (i didn't commit my last change where I actually lower case it)

it's just copy of https://github.com/hashicorp/vault/tree/master/plugins/database/postgresql with a few things renamed and downcasing.

You also need to make sure you compiled your thing for platform vault is running on.

andoriyu on 10 Aug 2019

Closed by https://github.com/hashicorp/vault/pull/8299