Vault: Can't get credentials from PostgreSQL with database plugin

Created on 18 Jun 2018 · 2Comments · Source: hashicorp/vault

Describe the bug

Error reading database/creds/my-role: Error making API request.

URL: GET https://localhost:8200/v1/database/creds/my-role
Code: 500. Errors:

* 1 error occurred:

* failed to find entry for connection with name: "postgres"

To Reproduce
Steps to reproduce the behavior:

vault secrets enable database

vault write database/config/test-dev \
    plugin_name=postgresql-database-plugin \
    allowed_roles="my-role" \
    connection_url="postgresql://{{username}}:{{password}}@vault-test-db-url.rds.amazonaws.com:5432/" \
    username="amet" \
    password="ametamet"

vault write database/roles/my-role \
    db_name=postgres \
    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
        GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
    default_ttl="1h" \
    max_ttl="24h"

vault read database/creds/my-role
Error reading database/creds/my-role: Error making API request.

URL: GET https://localhost:8200/v1/database/creds/my-role
Code: 500. Errors:

* 1 error occurred:

* failed to find entry for connection with name: "postgres"

Expected behavior
All ok with deprecated postgres plugin:

vault secrets enable postgresql
vault write postgresql/config/connection connection_url="postgresql://amet:[email protected]:5432/postgres"
vault write postgresql/config/lease lease=1h lease_max=24h
vault write postgresql/roles/readonly sql="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
    GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"

vault read postgresql/creds/readonly
Key                Value
---                -----
lease_id           postgresql/creds/readonly/46f3aa11-dc8c-6144-7f97-9f54a5683c32
lease_duration     1h
lease_renewable    true
password           13dbcbc7-e99a-7222-2830-f93bee1b6fdd
username           root-8fb5f459-51ce-98d5-0071-7a17ef04b040

Environment:

vault status
Key             Value
---             -----
Seal Type       shamir
Sealed          false
Total Shares    5
Threshold       2
Version         0.10.2
Cluster Name    vault-cluster-dev
Cluster ID      c2db22c2-bb7f-0c1a-bb5b-f5fedac5a888
HA Enabled      true
HA Cluster      https://172.31.31.31:8201
HA Mode         active

vault version
Vault v0.10.2 ('3ee0802ed08cb7f4046c2151ec4671a076b76166')

cat /etc/issue
Ubuntu 16.04.4 LTS \n \l

Vault server configuration file(s):

cluster_name      = "vault-cluster-dev"
max_lease_ttl     = "192h" # One week
default_lease_ttl = "192h" # One week
ui                = "true"

listener "tcp" {
  address     = "127.0.0.1:9200"
  tls_disable = "true"
}

listener "tcp" {
  address         = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"

  tls_disable     = "false"
  tls_min_version = "tls12"
  tls_cert_file   = "/etc/vault/ssl/cert.crt"
  tls_key_file    = "/etc/vault/ssl/privkey.key"

  tls_prefer_server_cipher_suites = "true"
}

storage "s3" {
  bucket       = "vault-dev-data"
  region       = "eu-west-1"
  max_parallel = "512"
}

ha_storage "dynamodb" {
  ha_enabled = "true"
  region     = "eu-west-1"
  table      = "vault-dev"

  max_parallel   = "25"
  read_capacity  = "5"
  write_capacity = "5"

  cluster_addr  = "https://172.31.31.31:8201"
  redirect_addr = "https://vault-dev:443"
}

Source