{"id":15204,"date":"2024-01-05T11:18:05","date_gmt":"2024-01-05T19:18:05","guid":{"rendered":"https:\/\/www.couchbase.com\/blog\/?p=15204"},"modified":"2025-06-13T18:39:15","modified_gmt":"2025-06-14T01:39:15","slug":"secure-db-credentials-with-hashicorp-vault-capella","status":"publish","type":"post","link":"https:\/\/www.couchbase.com\/blog\/pt\/secure-db-credentials-with-hashicorp-vault-capella\/","title":{"rendered":"Credenciais de banco de dados seguras com o HashiCorp Vault e o Capella"},"content":{"rendered":"<p><span style=\"font-weight: 400\">In today&#8217;s data-driven world, secure database credential management is a paramount concern for organizations of all sizes. As we strive to empower you with cutting-edge solutions, we are thrilled to announce the release of our HashiCorp Vault plugin for Capella database credential management.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Incorporating HashiCorp Vault into Capella offers a multifaceted approach to database security:<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">One of the key advantages is external, centralized user management, where user identities and access permissions are managed in a unified and secure manner. This ensures that access to your databases is controlled, audited, and consistent across your organization.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Vault&#8217;s capabilities extend to credential usage auditing, providing detailed logs and insights into who accessed your databases, when, and for what purpose. This level of transparency is invaluable for compliance and security teams, enabling them to track data access and meet regulatory requirements effectively.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Vault&#8217;s automation shines through with automatic credential rotation and revocation, reducing the risk of unauthorized access due to stale or compromised credentials.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Finally, Vault enables the issuance of dynamic temporary credentials, granting users time-limited access to databases. This not only enhances security but also simplifies user management by reducing the need for long-term credentials. Together, these features transform how you manage database access, making it more secure, efficient, and compliant.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">This article serves as a guide to help you leverage the capabilities of our plugin effectively. We will walk you through the entire process, from setting up a local Docker container Vault to managing dynamic credentials effortlessly. By the end of this tutorial, you&#8217;ll be well-equipped to enhance your database security with ease.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Let&#8217;s dive into the world of secure database credential management and unlock the potential of our HashiCorp Vault plugin for Capella<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Step 1: Preparations<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Before diving into the details, it&#8217;s essential to lay the foundation. In this initial step, we&#8217;ll guide you through the essential preparations required to set the stage for seamless integration. From creating an API key to setting up a sandbox database and gathering crucial organizational details, these preparations ensure you have everything you need to complete the plugin setup.<\/span><\/p>\n<h3><span style=\"font-weight: 400\">Create a Capella API Key<\/span><\/h3>\n<p><span style=\"font-weight: 400\">Begin by ensuring you have the necessary API keys. Navigate to your organization settings and head to the <\/span><a href=\"https:\/\/docs.couchbase.com\/cloud\/management-api-guide\/management-api-start.html#generate-management-api-keys\"><span style=\"font-weight: 400\">API Key section.<\/span><\/a><span style=\"font-weight: 400\"> Here, generate a Version 4 key with the organization owner role. This key will be instrumental in our credential management process. The reason for the organization owner role is that we will rotate the root credential later on.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15206\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image3.gif\" alt=\"Create a Capella API Key\" width=\"900\" height=\"456\" \/><\/p>\n<h3><span style=\"font-weight: 400\">Decode API Key Credentials<\/span><\/h3>\n<p><span style=\"font-weight: 400\">We will need to provide the Capella <em>ACCESS_KEY<\/em> and the <em>SECRET_KEY<\/em> when we configure the vault plugin. We will grab this from the API key we generated earlier.\u00a0<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Download the Key<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Click copy button twice at the end of the\u00a0 API Key Token field.\u00a0<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15207\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image14-1024x264.png\" alt=\"Decode API Key Credentials\" width=\"900\" height=\"232\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image14-1024x264.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image14-300x77.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image14-768x198.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image14-1536x396.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image14-1320x341.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image14.png 1999w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Decode it using base64<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre class=\"nums:false lang:default decode:true\">echo \"paste your key here\" | base64 --decode<\/pre>\n<p><span style=\"font-weight: 400\">The decoded key will have two values separated by a semicolon:<\/span><\/p>\n<pre class=\"nums:false lang:default decode:true \">HLkOuJult1wb11S2eBBm2C2H0Bm1tHVe:d%1VRg34zdrOeSwgLljG0RGnJPxqeFecK#gfhVCyC%mwZ3gTf1wjJjO4vwPcRpRT<\/pre>\n<p><span style=\"font-weight: 400\">The first one is your <em>ACCESS_KEY<\/em> and the second one is your <em>SECRET_KEY<\/em>. You will need this later when you configure the plugin.<\/span><\/p>\n<h3><span style=\"font-weight: 400\">Set Up a Sandbox Database<\/span><\/h3>\n<p><span style=\"font-weight: 400\">To facilitate this demo, set up a sandbox database. This will serve as a safe environment for testing our plugin.<\/span><\/p>\n<h3><span style=\"font-weight: 400\">Create a Bucket and Scope<\/span><\/h3>\n<p><span style=\"font-weight: 400\">We&#8217;ll also create a bucket <em>vault-bucket-1<\/em> and a scope <em>vault-bucket-1-scope-1<\/em> within our cluster, which will be used when creating dynamic credentials later on.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15208\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image12-1024x1004.png\" alt=\"Create a Bucket and Scope\" width=\"900\" height=\"882\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image12-1024x1004.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image12-300x294.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image12-768x753.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image12-1536x1505.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image12-65x65.png 65w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image12-50x50.png 50w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image12-1320x1294.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image12.png 1600w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<h3><span style=\"font-weight: 400\">Gather Essential Information<\/span><\/h3>\n<p><span style=\"font-weight: 400\">For the plugin configuration, you&#8217;ll need your organization ID, project ID, and cluster ID. The easiest way to obtain these details is by copying them from the URL and saving them in a text file for reference.<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li style=\"font-weight: 400\"><b>oid<\/b><span style=\"font-weight: 400\"> is your organization Id<\/span><\/li>\n<li style=\"font-weight: 400\"><b>projectId<\/b><span style=\"font-weight: 400\"> is your project id<\/span><\/li>\n<li style=\"font-weight: 400\"><b>dbid<\/b><span style=\"font-weight: 400\"> is your database id<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15209\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image10.gif\" alt=\"Gather Essential Information\" width=\"900\" height=\"434\" \/><\/p>\n<h2><span style=\"font-weight: 400\">Step 2: Set up Vault<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Now, let&#8217;s get started with the technical aspect. We have two options to run the demo.\u00a0<\/span><\/p>\n<ol>\n<li style=\"list-style-type: none\">\n<ol>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">To run the demo, clone the repository and utilize the Dockerfile within it. This Dockerfile includes steps to compile the plugin from source.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Alternatively, download the binary version of the plugin from the releases page and use that in your Vault installation.<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p><span style=\"font-weight: 400\">I will provide instructions for both methods. Please choose the path that suits your needs and follow the corresponding steps. There is no need to execute both methods<\/span><\/p>\n<h3><span style=\"font-weight: 400\">Option 1: Use the Dockerfile in the plugin repository<\/span><\/h3>\n<p><span style=\"font-weight: 400\">Begin by cloning our GitHub repository:<\/span><\/p>\n<pre class=\"nums:false lang:sh decode:true \">git clone https:\/\/github.com\/couchbasecloud\/vault-plugin-database-couchbasecapella<\/pre>\n<p><span style=\"font-weight: 400\">This repository contains the plugin source code, we will need to build the plugin. For this demo we will be building a docker image using Hashicorp\u2019s vault image. The plugin will be built during the Docker image creation process. This method should only be used for demo purposes. Please follow the instructions from <\/span><a href=\"https:\/\/developer.hashicorp.com\/vault\/docs\/plugins#external-plugins\"><span style=\"font-weight: 400\">Hashicorp<\/span><\/a><span style=\"font-weight: 400\"> on how to install the plugin and use it in your environment.<\/span><\/p>\n<pre class=\"nums:false lang:sh decode:true\">cd vault-plugin-database-couchbasecapella\r\ndocker build -t vault:with-cb-capella-plugin .<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15210\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image15-1024x130.png\" alt=\"Use the Dockerfile in the plugin repository\" width=\"900\" height=\"114\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image15-1024x130.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image15-300x38.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image15-768x97.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image15-1536x194.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image15-1320x167.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image15.png 1999w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p><span style=\"font-weight: 400\">Now the image has been built, We&#8217;ll launch a Vault server in a Docker container, configured for development mode. This allows us to bypass certain security features for easier testing. The Vault server will listen on port 8200 and will be initialized with a root token set to <em>password<\/em>. We&#8217;ll also enable debug-level logging to capture detailed information during our tests.<\/span><\/p>\n<pre class=\"nums:false lang:sh decode:true\">docker run --cap-add=IPC_LOCK --name=\"couchbase_vault\" --rm \\\r\n\u00a0\u00a0\u00a0\u00a0-e VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200 \\\r\n\u00a0\u00a0\u00a0\u00a0-e VAULT_ADDR=https:\/\/0.0.0.0:8200 \\\r\n\u00a0\u00a0\u00a0\u00a0-p 8200:8200 \\\r\n\u00a0\u00a0\u00a0\u00a0vault:with-cb-capella-plugin \\\r\n         vault server -dev -dev-root-token-id=\"password\" \\\r\n\u00a0\u00a0\u00a0\u00a0-log-level=debug -config=\/vault\/config\/config.json<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15213\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image1-1024x452.png\" alt=\"Vault server will listen on port 8200\" width=\"900\" height=\"397\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image1-1024x452.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image1-300x132.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image1-768x339.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image1-1536x678.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image1-1320x582.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image1.png 1999w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p><span style=\"font-weight: 400\">Please proceed directly to Step 3, bypassing Option 2.<\/span><\/p>\n<h3><span style=\"font-weight: 400\">Option 2: Download the plugin binary<\/span><\/h3>\n<p><span style=\"font-weight: 400\">Begin by downloading the plugin from the <\/span><a href=\"https:\/\/github.com\/couchbasecloud\/vault-plugin-database-couchbasecapella\/releases\"><span style=\"font-weight: 400\">releases page<\/span><\/a><span style=\"font-weight: 400\">. As of writing this article, the latest version is 1.0.0, and since I am running Linux, I will proceed with downloading <\/span><a href=\"https:\/\/github.com\/couchbasecloud\/vault-plugin-database-couchbasecapella\/releases\/download\/v1.0.0\/vault-plugin-database-couchbasecapella-1.0.0_linux_amd64.zip\"><span style=\"font-weight: 400\">the linux version<\/span><\/a><span style=\"font-weight: 400\">.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Ensure you download the version appropriate for your computer&#8217;s architecture.\u00a0<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:sh decode:true\">curl -L https:\/\/github.com\/couchbasecloud\/vault-plugin-database-couchbasecapella\/releases\/download\/v1.0.0\/vault-plugin-database-couchbasecapella-1.0.0_linux_amd64.zip&amp;nbsp; -o vault-plugin-database-couchbasecapella-1.0.0_linux_amd64.zip<\/pre>\n<p><span style=\"font-weight: 400\">As a security best practice, it&#8217;s important to validate the integrity of the file. Therefore, also download the checksums of the binaries, which can be found on the releases page.<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:sh decode:true \">curl -L https:\/\/github.com\/couchbasecloud\/vault-plugin-database-couchbasecapella\/releases\/download\/v1.0.0\/vault-plugin-database-couchbasecapella-1.0.0_checksums.txt -o vault-plugin-database-couchbasecapella-1.0.0_checksums.txt<\/pre>\n<p><span style=\"font-weight: 400\">Locate the checksum corresponding to the file you downloaded within the text file.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15211\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image2-1024x98.png\" alt=\"Locate the checksum\" width=\"900\" height=\"86\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image2-1024x98.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image2-300x29.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image2-768x74.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image2-1320x126.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image2.png 1421w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p><span style=\"font-weight: 400\">Generate the checksum and validate the result<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:sh decode:true\">sha256sum vault-plugin-database-couchbasecapella-1.0.0_linux_amd64.zip<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15212\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image8-1024x22.png\" alt=\"checksum comparison indicates a match\" width=\"900\" height=\"19\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image8-1024x22.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image8-300x6.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image8-768x17.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image8-1536x33.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image8-1320x28.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image8.png 1999w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p><span style=\"font-weight: 400\">The checksum comparison indicates a match, confirming that the file validation is successful.<\/span><\/p>\n<p><span style=\"font-weight: 400\">It is now secure to extract the contents of the zipfile and retrieve the vault plugin.\u00a0<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:sh decode:true \">unzip vault-plugin-database-couchbasecapella-1.0.0_linux_amd64.zip<\/pre>\n<p><span style=\"font-weight: 400\">At this point, the vault plugin binary should be in our folder. The final step is to generate the hash of this binary, which is necessary for registering the plugin with Vault later. It&#8217;s important to note that this hash is for the binary itself, not the zip file downloaded earlier.<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:sh decode:true \">shasum -a 256 \"couchbasecapella-database-plugin\" | cut -d \" \" -f1 &gt; couchbasecapella-database-plugin.sha256<\/pre>\n<p><span style=\"font-weight: 400\">Executing this command should have resulted in the creation of a new file containing the hash of the vault plugin.<\/span><\/p>\n<p><span style=\"font-weight: 400\">We will also need to create a vault configuration that defines where the plugin resides.<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:sh decode:true \">echo '{\"plugin_directory\": \"\/vault\/plugins\", \"storage\": {\"file\": {\"path\": \"\/vault\/file\"}}, \"default_lease_ttl\": \"168h\", \"max_lease_ttl\": \"720h\", \"ui\": true}' &gt; config.json<\/pre>\n<p><span style=\"font-weight: 400\">\u00a0<\/span><span style=\"font-weight: 400\">The final step involves creating a custom password policy that mirrors the policy used in Capella.<\/span><\/p>\n<pre class=\"nums:false lang:sh decode:true\">cat &gt;password_policy.hcl &lt;&lt; EOF\r\nlength=64\r\n\r\nrule \"charset\" {\r\n\u00a0\u00a0charset = \"abcdefghijklmnopqrstuvwxyz\"\r\n\u00a0\u00a0min-chars = 1\r\n}\r\n\r\nrule \"charset\" {\r\n\u00a0\u00a0charset = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\"\r\n\u00a0\u00a0min-chars = 1\r\n}\r\n\r\nrule \"charset\" {\r\n\u00a0\u00a0charset = \"0123456789\"\r\n\u00a0\u00a0min-chars = 1\r\n}\r\n\r\nrule \"charset\" {\r\n\u00a0\u00a0charset = \"#@%!\"\r\n\u00a0\u00a0min-chars = 1\r\n}\r\nEOF<\/pre>\n<p><span style=\"font-weight: 400\">Having downloaded the vault plugin and generated its hash, we will now initiate a Vault server in a Docker container, configured in development mode. This setup enables us to circumvent some security features for simplified testing purposes.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">The Vault server will listen on port 8200 and will be initialized with a root token set to <em>password<\/em>. We&#8217;ll also enable debug-level logging to capture detailed information during our tests. It is also important to note that we will need to mount our plugin and sha as a volume:<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:sh decode:true\">docker run --cap-add=IPC_LOCK --name=\"couchbase_vault\" --rm \\\r\n\u00a0\u00a0\u00a0\u00a0-e VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200 \\\r\n\u00a0\u00a0\u00a0\u00a0-e VAULT_ADDR=https:\/\/0.0.0.0:8200 \\\r\n\u00a0\u00a0\u00a0\u00a0-p 8200:8200 \\\r\n  \u00a0\u00a0-v $(pwd)\/config.json:\/vault\/config\/config.json \\\r\n\u00a0\u00a0  -v $(pwd)\/password_policy.hcl:\/vault\/password_policy.hcl \\\r\n\u00a0\u00a0  -v $(pwd)\/couchbasecapella-database-plugin:\/vault\/plugins\/couchbasecapella-database-plugin \\\r\n\u00a0  \u00a0-v $(pwd)\/couchbasecapella-database-plugin.sha256:\/vault\/couchbasecapella-database-plugin.sha256 \\\r\n \u00a0\u00a0\u00a0\u00a0hashicorp\/vault:1.15 \\\r\n\u00a0\u00a0\u00a0\u00a0\u00a0vault server -dev -dev-root-token-id=\"password\" \\\r\n\u00a0\u00a0\u00a0\u00a0-log-level=debug -config=\/vault\/config\/config.json<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15213\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image1-1024x452.png\" alt=\"Vault server will listen on port 8200\" width=\"900\" height=\"397\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image1-1024x452.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image1-300x132.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image1-768x339.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image1-1536x678.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image1-1320x582.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image1.png 1999w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<h3><span style=\"font-weight: 400\">Step 3: Enable Database Secrets<\/span><\/h3>\n<p><span style=\"font-weight: 400\">Vault is now up and running in development mode. Next We&#8217;ll enable Vault&#8217;s database secrets engine. This engine allows Vault to generate dynamic credentials for databases, and it&#8217;s crucial for our plugin to function correctly. By enabling this, we&#8217;re setting the stage for Vault to manage our Capella database credentials. Open up a new terminal and run the following:<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:sh decode:true \">docker ps\r\n\r\ndocker exec -it \"couchbase_vault\" \/bin\/ash -c \"vault login password &amp;&amp; vault secrets enable database\"<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15214\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image9-1024x413.png\" alt=\"Enable Database Secrets\" width=\"900\" height=\"363\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image9-1024x413.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image9-300x121.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image9-768x310.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image9-1320x532.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image9.png 1438w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<h3><span style=\"font-weight: 400\">Step 4: Register the Plugin<\/span><\/h3>\n<p><span style=\"font-weight: 400\">We&#8217;ll register our custom plugin with Vault. This involves calculating the SHA-256 hash of the plugin binary to ensure its integrity. Vault uses this hash to verify that the plugin hasn&#8217;t been tampered with when it&#8217;s invoked. Once the hash is calculated, we&#8217;ll use it to register the plugin.<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:sh decode:true \">docker exec -it \"couchbase_vault\" \/bin\/ash -c \"SHA256=\\$(cat \/vault\/couchbasecapella-database-plugin.sha256) &amp;&amp; vault login password &amp;&amp; vault write sys\/plugins\/catalog\/database\/couchbasecapella-database-plugin sha256=\\$SHA256 command=couchbasecapella-database-plugin\"<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15217\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image6-1024x287.png\" alt=\"Register the Plugin\" width=\"900\" height=\"252\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image6-1024x287.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image6-300x84.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image6-768x216.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image6-1536x431.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image6-1320x370.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image6.png 1999w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p><span style=\"font-weight: 400\">Now the plugin has been successfully registered.<\/span><\/p>\n<h3><span style=\"font-weight: 400\">Step 5: Upload Password Policy<\/span><\/h3>\n<p><span style=\"font-weight: 400\">We&#8217;ll upload a password policy to Vault that aligns with Capella&#8217;s password requirements. This ensures that any credentials generated by Vault for Capella will comply with Capella&#8217;s security standards. The policy will be defined in a HashiCorp Configuration Language (HCL) file. This file was added to the Docker image during the build.<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:sh decode:true \">docker exec -it \"couchbase_vault\" \/bin\/ash -c \"vault login password &amp;&amp; vault write sys\/policies\/password\/couchbasecapella policy=@\/vault\/password_policy.hcl\"<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15215 size-large\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image13-1024x401.png\" alt=\"Upload Password Policy\" width=\"900\" height=\"352\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image13-1024x401.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image13-300x118.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image13-768x301.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image13-1320x517.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image13.png 1434w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<h3><span style=\"font-weight: 400\">Step 6: Create Database Config<\/span><\/h3>\n<p><span style=\"font-weight: 400\">We&#8217;ll configure Vault to connect to our Capella cluster. This involves specifying various parameters like the base URL for Capella&#8217;s cloud API, organization ID, project ID, and cluster ID. We&#8217;ll also provide the Capella access key we generated earlier. This configuration allows Vault to interact with our Capella cluster and manage credentials dynamically.\u00a0<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:sh decode:true \">docker exec -it \"couchbase_vault\" \/bin\/ash -c \"vault login password &amp;&amp; vault write database\/config\/couchbasecapella-database-plugin plugin_name='couchbasecapella-database-plugin' cloud_api_base_url='https:\/\/cloudapi.cloud.couchbase.com\/v4' organization_id=\"$CAPELLA_ORG_ID\" project_id=\"$CAPELLA_PROJECT_ID\" cluster_id=\"$CAPELLA_CLUSTER_ID\" username=\"$CAPELLA_ACCESS_KEY\" password=\"$CAPELLA_SECRET_KEY\" password_policy='couchbasecapella' allowed_roles='*'\"<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15216 size-large\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image11-1024x257.png\" alt=\"Create Database Config\" width=\"900\" height=\"226\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image11-1024x257.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image11-300x75.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image11-768x192.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image11-1536x385.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image11-1320x331.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image11.png 1772w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p><span style=\"font-weight: 400\">Now the Capella plugin is configured and able to talk to Capella.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400\">Step 7: Rotate Root Credentials<\/span><\/h3>\n<p><span style=\"font-weight: 400\">We&#8217;ll perform a security best practice by rotating the high-privilege root credentials that Vault uses to manage the Capella database. This minimizes the risk associated with any potential exposure of these credentials.<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:sh decode:true \">docker exec -it \"couchbase_vault\" \/bin\/ash -c \"vault login password &amp;&amp; vault write -force database\/rotate-root\/couchbasecapella-database-plugin\"<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15218\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image16-1024x37.png\" alt=\"Rotate Root Credentials\" width=\"900\" height=\"33\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image16-1024x37.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image16-300x11.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image16-768x28.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image16-1536x55.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image16-1320x47.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image16.png 1892w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<h3><span style=\"font-weight: 400\">Step 8: Create a Dynamic Role<\/span><\/h3>\n<p><span style=\"font-weight: 400\">Next We&#8217;ll define a dynamic role in Vault. This role will have a set of permissions, defined in JSON format, that specify what kind of database operations are allowed. For example, we&#8217;ll grant <em>data_reader<\/em> and <em>data_writer<\/em> privileges on a specific bucket and scope in our Capella cluster. This dynamic role will be used to generate credentials with these permissions.<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:sh decode:true\">docker exec -it \"couchbase_vault\" \/bin\/ash -c 'vault login password &amp;&amp; vault write database\/roles\/dynamicrole1 db_name=\"couchbasecapella-database-plugin\" creation_statements='\\''{\"access\": [ { \"privileges\": [ \"data_reader\", \"data_writer\" ], \"resources\": { \"buckets\": [ { \"name\": \"vault-bucket-1\", \"scopes\": [ { \"name\": \"vault-bucket-1-scope-1\", \"collections\": [ \"*\" ] } ] } ] } } ]}'\\'' default_ttl=\"5m\" max_ttl=\"1h\"'<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15219\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image4-1024x59.png\" alt=\"Create a dynamic role\" width=\"900\" height=\"52\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image4-1024x59.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image4-300x17.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image4-768x44.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image4.png 1174w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<h3><span style=\"font-weight: 400\">Step 9: Create New Credentials<\/span><\/h3>\n<p><span style=\"font-weight: 400\">Finally, we&#8217;ll generate a new set of database credentials using the dynamic role we created. These credentials are temporary and will adhere to the TTL (Time-To-Live) settings we&#8217;ve configured. This is the culmination of our setup, demonstrating how Vault can dynamically manage Capella database credentials.<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:papyrus decode:true \">docker exec -it \"couchbase_vault\" \/bin\/ash -c 'vault login password &amp;&amp; vault read database\/creds\/dynamicrole1'<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15221\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image17-1024x220.png\" alt=\"create new credentials\" width=\"900\" height=\"193\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image17-1024x220.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image17-300x64.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image17-768x165.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image17-1536x330.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image17-1320x284.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image17.png 1880w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p><span style=\"font-weight: 400\">Let\u2019s go back to Capella to check if our credentials in fact show in the UI as well.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15220\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/01\/image5.gif\" alt=\"manage Capella database credentials\" width=\"900\" height=\"435\" \/><\/p>\n<h2><span style=\"font-weight: 400\">Conclusion<\/span><\/h2>\n<p><span style=\"font-weight: 400\">In conclusion, our HashiCorp Vault plugin for Capella&#8217;s database credential management opens new horizons in enhancing the security of your database infrastructure. Through this step-by-step tutorial, you&#8217;ve gained valuable insights into setting up and utilizing the plugin effectively.<\/span><\/p>\n<p><span style=\"font-weight: 400\">By embracing this solution, you&#8217;re simplifying the process of managing database credentials. We encourage you to explore the full potential of our plugin and look forward to your experiences and feedback.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Secure, efficient, and user-friendly database credential management is now at your fingertips. Take the first step towards a more secure database environment today!<\/span><\/p>\n<p>If you\u2019re interested in learning more about how you can build your own mission-critical modern applications on Couchbase, try our\u00a0<a href=\"https:\/\/cloud.couchbase.com\/sign-up\">30 day free trial of Couchbase Capella<\/a>. And to see more of what our customers are doing with Couchbase, check out our\u00a0<a href=\"https:\/\/www.couchbase.com\/customers\/\">customer case study page<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In today&#8217;s data-driven world, secure database credential management is a paramount concern for organizations of all sizes. As we strive to empower you with cutting-edge solutions, we are thrilled to announce the release of our HashiCorp Vault plugin for Capella [&hellip;]<\/p>\n","protected":false},"author":84313,"featured_media":15205,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[2225,1813],"tags":[9705,1725],"ppma_author":[9812],"class_list":["post-15204","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud","category-security","tag-hashicorp-vault","tag-nosql-database"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Secure DB Credentials with HashiCorp Vault &amp; Capella - The Couchbase Blog<\/title>\n<meta name=\"description\" content=\"Boost Capella database security using our HashiCorp Vault plugin. Follow our guide to set up Vault, handle dynamic credentials &amp; manage them externally.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.couchbase.com\/blog\/pt\/secure-db-credentials-with-hashicorp-vault-capella\/\" \/>\n<meta property=\"og:locale\" content=\"pt_BR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Secure DB Credentials with HashiCorp Vault &amp; Capella\" \/>\n<meta property=\"og:description\" content=\"Boost Capella database security using our HashiCorp Vault plugin. Follow our guide to set up Vault, handle dynamic credentials &amp; manage them externally.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.couchbase.com\/blog\/pt\/secure-db-credentials-with-hashicorp-vault-capella\/\" \/>\n<meta property=\"og:site_name\" content=\"The Couchbase Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-01-05T19:18:05+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-14T01:39:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image7.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1792\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Istvan Orban\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Istvan Orban\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutos\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/secure-db-credentials-with-hashicorp-vault-capella\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/secure-db-credentials-with-hashicorp-vault-capella\\\/\"},\"author\":{\"name\":\"Istvan Orban, Principal Product Manager\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#\\\/schema\\\/person\\\/da80693db66ef61daaabe98bc56afc26\"},\"headline\":\"Secure DB Credentials with HashiCorp Vault &amp; Capella\",\"datePublished\":\"2024-01-05T19:18:05+00:00\",\"dateModified\":\"2025-06-14T01:39:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/secure-db-credentials-with-hashicorp-vault-capella\\\/\"},\"wordCount\":1760,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/secure-db-credentials-with-hashicorp-vault-capella\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/1\\\/2024\\\/01\\\/image7.png\",\"keywords\":[\"hashicorp vault\",\"NoSQL Database\"],\"articleSection\":[\"Couchbase Capella\",\"Security\"],\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/secure-db-credentials-with-hashicorp-vault-capella\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/secure-db-credentials-with-hashicorp-vault-capella\\\/\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/secure-db-credentials-with-hashicorp-vault-capella\\\/\",\"name\":\"Secure DB Credentials with HashiCorp Vault &amp; Capella - The Couchbase Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/secure-db-credentials-with-hashicorp-vault-capella\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/secure-db-credentials-with-hashicorp-vault-capella\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/1\\\/2024\\\/01\\\/image7.png\",\"datePublished\":\"2024-01-05T19:18:05+00:00\",\"dateModified\":\"2025-06-14T01:39:15+00:00\",\"description\":\"Boost Capella database security using our HashiCorp Vault plugin. Follow our guide to set up Vault, handle dynamic credentials & manage them externally.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/secure-db-credentials-with-hashicorp-vault-capella\\\/#breadcrumb\"},\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/secure-db-credentials-with-hashicorp-vault-capella\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/secure-db-credentials-with-hashicorp-vault-capella\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/1\\\/2024\\\/01\\\/image7.png\",\"contentUrl\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/1\\\/2024\\\/01\\\/image7.png\",\"width\":1792,\"height\":1024,\"caption\":\"HashiCorp Vault with NoSQL Couchbase Capella\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/secure-db-credentials-with-hashicorp-vault-capella\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Secure DB Credentials with HashiCorp Vault &amp; Capella\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/\",\"name\":\"The Couchbase Blog\",\"description\":\"Couchbase, the NoSQL Database\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"pt-BR\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#organization\",\"name\":\"The Couchbase Blog\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/04\\\/admin-logo.png\",\"contentUrl\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/04\\\/admin-logo.png\",\"width\":218,\"height\":34,\"caption\":\"The Couchbase Blog\"},\"image\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#\\\/schema\\\/person\\\/da80693db66ef61daaabe98bc56afc26\",\"name\":\"Istvan Orban, Principal Product Manager\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/1\\\/2023\\\/04\\\/image_2023-04-25_205027722.pngc873b4cba9199faca7f2d3db2f443f81\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/1\\\/2023\\\/04\\\/image_2023-04-25_205027722.png\",\"contentUrl\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/1\\\/2023\\\/04\\\/image_2023-04-25_205027722.png\",\"caption\":\"Istvan Orban, Principal Product Manager\"},\"description\":\"Istvan Orban is the Principal Product Manager for Couchbase and lives in the United Kingdom. Istvan has a wide range of experience as a Full stack Software Engineer, Team leader and Devops Engineer. His main focus is security and Single Sign On. Istvan has led several large scale projects of his 20 year professional career.\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/pt\\\/author\\\/istvanorban\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Secure DB Credentials with HashiCorp Vault &amp; Capella - The Couchbase Blog","description":"Aumente a seguran\u00e7a do banco de dados Capella usando nosso plug-in HashiCorp Vault. Siga nosso guia para configurar o Vault, lidar com credenciais din\u00e2micas e gerenci\u00e1-las externamente.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.couchbase.com\/blog\/pt\/secure-db-credentials-with-hashicorp-vault-capella\/","og_locale":"pt_BR","og_type":"article","og_title":"Secure DB Credentials with HashiCorp Vault &amp; Capella","og_description":"Boost Capella database security using our HashiCorp Vault plugin. Follow our guide to set up Vault, handle dynamic credentials & manage them externally.","og_url":"https:\/\/www.couchbase.com\/blog\/pt\/secure-db-credentials-with-hashicorp-vault-capella\/","og_site_name":"The Couchbase Blog","article_published_time":"2024-01-05T19:18:05+00:00","article_modified_time":"2025-06-14T01:39:15+00:00","og_image":[{"width":1792,"height":1024,"url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image7.png","type":"image\/png"}],"author":"Istvan Orban","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Istvan Orban","Est. reading time":"12 minutos"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.couchbase.com\/blog\/secure-db-credentials-with-hashicorp-vault-capella\/#article","isPartOf":{"@id":"https:\/\/www.couchbase.com\/blog\/secure-db-credentials-with-hashicorp-vault-capella\/"},"author":{"name":"Istvan Orban, Principal Product Manager","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/da80693db66ef61daaabe98bc56afc26"},"headline":"Secure DB Credentials with HashiCorp Vault &amp; Capella","datePublished":"2024-01-05T19:18:05+00:00","dateModified":"2025-06-14T01:39:15+00:00","mainEntityOfPage":{"@id":"https:\/\/www.couchbase.com\/blog\/secure-db-credentials-with-hashicorp-vault-capella\/"},"wordCount":1760,"commentCount":0,"publisher":{"@id":"https:\/\/www.couchbase.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/secure-db-credentials-with-hashicorp-vault-capella\/#primaryimage"},"thumbnailUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image7.png","keywords":["hashicorp vault","NoSQL Database"],"articleSection":["Couchbase Capella","Security"],"inLanguage":"pt-BR","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.couchbase.com\/blog\/secure-db-credentials-with-hashicorp-vault-capella\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.couchbase.com\/blog\/secure-db-credentials-with-hashicorp-vault-capella\/","url":"https:\/\/www.couchbase.com\/blog\/secure-db-credentials-with-hashicorp-vault-capella\/","name":"Secure DB Credentials with HashiCorp Vault &amp; Capella - The Couchbase Blog","isPartOf":{"@id":"https:\/\/www.couchbase.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.couchbase.com\/blog\/secure-db-credentials-with-hashicorp-vault-capella\/#primaryimage"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/secure-db-credentials-with-hashicorp-vault-capella\/#primaryimage"},"thumbnailUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image7.png","datePublished":"2024-01-05T19:18:05+00:00","dateModified":"2025-06-14T01:39:15+00:00","description":"Aumente a seguran\u00e7a do banco de dados Capella usando nosso plug-in HashiCorp Vault. Siga nosso guia para configurar o Vault, lidar com credenciais din\u00e2micas e gerenci\u00e1-las externamente.","breadcrumb":{"@id":"https:\/\/www.couchbase.com\/blog\/secure-db-credentials-with-hashicorp-vault-capella\/#breadcrumb"},"inLanguage":"pt-BR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.couchbase.com\/blog\/secure-db-credentials-with-hashicorp-vault-capella\/"]}]},{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/www.couchbase.com\/blog\/secure-db-credentials-with-hashicorp-vault-capella\/#primaryimage","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image7.png","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/01\/image7.png","width":1792,"height":1024,"caption":"HashiCorp Vault with NoSQL Couchbase Capella"},{"@type":"BreadcrumbList","@id":"https:\/\/www.couchbase.com\/blog\/secure-db-credentials-with-hashicorp-vault-capella\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.couchbase.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Secure DB Credentials with HashiCorp Vault &amp; Capella"}]},{"@type":"WebSite","@id":"https:\/\/www.couchbase.com\/blog\/#website","url":"https:\/\/www.couchbase.com\/blog\/","name":"Blog do Couchbase","description":"Couchbase, o banco de dados NoSQL","publisher":{"@id":"https:\/\/www.couchbase.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.couchbase.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pt-BR"},{"@type":"Organization","@id":"https:\/\/www.couchbase.com\/blog\/#organization","name":"Blog do Couchbase","url":"https:\/\/www.couchbase.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png","width":218,"height":34,"caption":"The Couchbase Blog"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/da80693db66ef61daaabe98bc56afc26","name":"Istvan Orban, gerente principal de produtos","image":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.pngc873b4cba9199faca7f2d3db2f443f81","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.png","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.png","caption":"Istvan Orban, Principal Product Manager"},"description":"Istvan Orban \u00e9 o principal gerente de produtos da Couchbase e mora no Reino Unido. Istvan tem uma ampla experi\u00eancia como engenheiro de software de pilha completa, l\u00edder de equipe e engenheiro de Devops. Seu foco principal \u00e9 a seguran\u00e7a e o Single Sign On. Istvan liderou v\u00e1rios projetos de grande escala em seus 20 anos de carreira profissional.","url":"https:\/\/www.couchbase.com\/blog\/pt\/author\/istvanorban\/"}]}},"acf":[],"authors":[{"term_id":9812,"user_id":84313,"is_guest":0,"slug":"istvanorban","display_name":"Istvan Orban","avatar_url":{"url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.png","url2x":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.png"},"0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/posts\/15204","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/users\/84313"}],"replies":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/comments?post=15204"}],"version-history":[{"count":0,"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/posts\/15204\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/media\/15205"}],"wp:attachment":[{"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/media?parent=15204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/categories?post=15204"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/tags?post=15204"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/ppma_author?post=15204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}