Vault dynamic DB credentials

vault list database/config
vault read database/config/postgres
vault list database/roles
vault read database/roles/readonly

# Step 0: Enable dynamic database credential service
vault secrets enable database

# Step 1: Configure connection String

vault write database/config/postgres-aws \
	plugin_name="postgresql-database-plugin" \
	allowed_roles="readonlyaws" \
	connection_url="postgresql://vault:2BRLU2PUZpUcGKDN2EHp@steniodb-aws.csdltcd61o6f.us-east-1.rds.amazonaws.com:" \
	verify_connection=false

# Step 2: SQL user creation statement and TTL

vault write database/roles/readonlyaws \
    db_name=postgres-aws \
    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
        GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
    default_ttl="1h" \
    max_ttl="24h"

# Step 3: Request creds

 vault read database/creds/readonlyaws

# Step 4: Validate user created

# Step 5: Connect to db

 psql -h steniodb-aws.csdltcd61o6f.us-east-1.rds.amazonaws.com \
 	-d vault \
 	-U v-root-readonly-uz06uyv1676xu2tu1rr6-1522861975
 
 # (Optional) Request more creds

 vault read database/creds/readonlyaws
 vault read database/creds/readonlyaws
 vault read database/creds/readonlyaws

# (Optional) Revoke one cred:

 vault revoke database/creds/readonlyaws/d5df00b0-9d29-111f-299a-0ceaaa7f3a3b

# (Optional) Revoke all creds:
 vault revoke -prefix database/creds/readonlyaws/

The AWS RDBS and Vault do not exist anymore, so please update the script with your connection string :-)