"HashiCorp Vault 动态数据库凭证与密钥轮换实践"

HashiCorp Vault 动态数据库凭证与密钥轮换实践启用与配置（示意）vault secrets enable database vault write database/config/mydb \ plugin_name=postgresql-database-plugin \ allowed_roles="app" \ connection_url="postgresql://{{username}}:{{password}}@db:5432/postgres?sslmode=disable" \ username="admin" password="secret" vault write database/roles/app \ db_name=mydb \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD \"{{password}}\" VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \ default_ttl=1h max_ttl=24h 获取动态凭证vault read database/creds/app 轮换与吊销vault lease revoke <lease_id> vault write database/rotate-root/mydb 验证要点观察短期租约与自动过期确认应用仅持有最小权限与短生命周期账户总结动态凭证与轮换机制能显著降低长期静态凭证泄露风险并提升合规性。