Cassandra Vault Dynamic Secrets

CassandraVaultDynamicSecrets.md

Vault Login

vault token $YOUR_PRIVILEGED_TOKEN

Enable Cassandra Engine

Enable Cassandra Secrets Engine

vault secrets enable cassandra

setup cassandra username password for vault

I am running against cassandra:3.11 and I have provided the protocol_version (3).

vault write cassandra/config/connection \
   hosts=localhost \
   username=cassandra \
   password=cassandra \
   protocol_version=3 

write read/write templates

Create two different templates for readonly and a superuser

vault write cassandra/roles/readonly \
    creation_cql="CREATE ROLE {{username}} with SUPERUSER = false AND LOGIN = true and PASSWORD = '{{password}}'; \
    GRANT SELECT ON ALL KEYSPACES TO {{username}};"

vault write cassandra/roles/readwrite \
    creation_cql="CREATE ROLE {{username}} with SUPERUSER = true AND LOGIN = true and PASSWORD = '{{password}}';"

Retrieve the password as root

vault read cassandra/creds/readonly
vault read cassandra/creds/readwrite

Login and validate that you are indeed getting readonly and/or superuser accounts

cqlsh -u <user> -p <pass>
select * from system_auth.roles;

Policy to retrieve readonly password

cat > cassandra-read.hcl -<<EOF
path "cassandra/creds/readonly" {
    capabilities = ["read"]
}
EOF

vault policy write cassandra-read cassandra-read.hcl

Policy to retrieve superuser user and pass

cat > cassandra-write.hcl -<<EOF
path "cassandra/creds/readwrite" {
    capabilities = [ "read" ]
}
EOF

vault policy write cassandra-write cassandra-write.hcl

create new tokens for read and write policies

vault token create -policy=cassandra-read

Use Token to retrieve cassandra creds

VAULT_TOKEN="s.JgdYaLUxILaBqFQvCVSngDb3" vault reead cassandra/creds/readonly 

Revoke using lease_id when done

vault lease revoke cassandra/creds/readonly/FoJ88CNVJ3GYwArZPnlUquNS

Generate another token for superuser

vault token create -policy=cassandra-write

Login and then revoke this token after use.