Dynamic Secrets
Dynamic secrets are automatically generated at the time of request. This differs from the standard Secret store read request where the credentials remain the same until changed by a user. They can be used when you need to provide credentials to a user or resource, like a configuration tool, but the access should expire after a set period of time.
Supported Types:
IaaS Dynamic Secrets
Database Dynamic Secrets
Linking
In order for dynamic secrets to be generated, they rely on a base secret stored in DSV that contains the provider's credentials that are used to automatically generate the ephemeral access keys.
The linking is done through the attributes
section in the secret JSON. For example, the following secret temp-api
has no data, but is linked to a different AWS IAM secret that contains the access and secret key information. The linkConfig
defines the type of linking and the linked secret path.
Attribute | Description |
---|---|
linkConfig | link type and path to the linked secret |
linkConfig.linkType | the only valid value is "dynamic" |
linkConfig.linkedSecret | secret path to the base credential |
{
"id": "cc619722-6538-4891-b0a6-2c7fa1776a67",
"path": "dynamic:aws:creds:temp-api",
"attributes": {
"linkConfig": {
"linkType": "dynamic",
"linkedSecret": "base:aws:creds:api-account"
}
},
"description": "",
"data": {
}
}
Search for linked Secrets
To get a list of all dynamic secrets linked to a base secret, issue the command.
dsv secret search --query <base secret path> --search-links