Is it possible to store DMS Endpoint credentials in HashiCorp Vault

Question

I have two AWS DMS endpoints, one connecting to AWS RDS for Oracle and another one to AWS Aurora MySQL. Currently, the login passwords are provided through Terraform in clear text. I wonder if there is a way to store DMS endpoint credentials in Vault. My client prefers Vault to AWS Secrets Manager.

The organization already has Vault secrets set up for applications. I have access to Vault secrets through the web UI, but I have no idea how applications use Vault. I am a DBA. Any advice is appreciated. Thanks.

Gary

Answer

You can use secrets manager to store the passwords. I have seen customers create their own solution when integrating with Hashicorp vault and syncing the passwords with secrets manager. I don't know if this is possible without some form of engineering to syncronise passwords or using Vault secrets directly.

Answer

Oli and Gary Mclean,

Thank you for comment on my question!

Gary

Answer

Use terraform to create the AWS secret with no values and set the lifecycle to ignore changes.

Then manually populate the AWS secrect with the username and password.

Here your able to reference the terraform resource in your DMS settings.

Is it possible to store DMS Endpoint credentials in HashiCorp Vault

相关内容