Configure the HashiCorp Vault

You can use the HashiCorp vault to store the database credentials for Database Monitoring configurations. Database Agent requires the database secret stored in the HashiCorp vault to establish a connection with the databases. You need to authenticate the vault to fetch the token, and thereby fetch the database secret.

Supported Databases

• Cassandra
• Couchbase
• IBM DB2
• Microsoft Azure SQL
• Microsoft SQL Server
• MongoDB
• MySQL
• Oracle
• PostgreSQL
• SAP HANA
• Sybase

Connect the Database Agent with HashiCorp Vault

To establish a connection between Database Agent and HashiCorp Vault, you need the:

• Address of the vault
• HTTPS certificate of the vault (Optional)

Specify the address and the HTTPS certificate path of the vault while starting the Database Agent:

-Ddbagent.hashicorp.vault.url=https://vault.dbmon.com:8200
-Ddbagent.hashicorp.vault.https.cert.path=/Users/user1/works/HashiCorpVault/vault.dbmon.com.pem 

Database Agent can communicate with only one vault at a time.

Configure the HashiCorp Vault

Add the following details while creating a collector.

1. Navigate to Databases > Configuration > Collectors > Add.
2. Select HashiCorp Vault under Database Credentials, and specify the following details:
   

   Field	Description
   Authentication Method	You can choose of one of the following methods: AWS IAM TLS Certificates JWT
   Secret Path	Specify the path of secret in the vault. For example, database/cred/mysql-prod
   Namespace	Namespace of the vault that is used for authentication and fetching the secret.

Based on the authentication method that you selected, specify the following details:

AWS IAM

• • AWS Role: specify the AWS IAM role that will be used for vault authentication. For more information about AWS IAM role, see AWS auth method.
  • AWS Region: specify the AWS Region for Security Token Service (STS) endpoint access
  • AWS Access Key: specify the AWS Access Key for STS request signing header
  • AWS Secret Key: specify the AWS Secret Key for STS request signing header
  • Auth Custom Mount Point: (Optional) You can specify a custom mount path for AWS based authentication. The default value is aws.

TLS Certificates

• • Client Cert File Path: Specify the path of the client certificate file of the system where the Database Agent is running. The client certificate file must be in the PEM format and accessible to the Database Agent for vault authentication. For more information, see TLS certificates auth method.
  • Client Cert Key File Path: Specify the client certificate key file path. The client certificate key file must be in PEM format and accessible to the Database Agent for vault authentication.
  • Auth Custom Mount Point: (Optional) You can specify a custom mount path. The default value is cert.

JWT

• • JWT Token: Specify a JWT token. For more information about JWT token and role, see JWT authentication.
  • JWT Role: Specify the JWT role.
  • Token Provider: (Optional) You can specify a token provider. The default value is jwt.
    

    Azure authentication method is supported through OpenID Connect (OIDC). If you want to use the Azure authentication method, then specify oidc in the Token Provider field.