# Database Dynamic Credentials — OpenBao Date: 2026-06-24 Workplan: WARDEN-WP-0012 T4 Catalog: `database-dynamic-credentials` (draft until engine ships) Pointer playbook for short-lived database passwords issued by OpenBao dynamic secret engines (e.g. CNPG-managed PostgreSQL). ops-warden does not issue DB credentials — custody and engine configuration belong to `railiance-platform`; consumers request credentials through approved paths after flex-auth policy where required. --- ## Owners | Concern | Owner repo | Authoritative doc | | --- | --- | --- | | OpenBao database engine, paths, policies | `railiance-platform` | `docs/openbao.md`, `workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md` | | Authorization before sensitive reads | `flex-auth` | `INTENT.md` | | Application connection and lease handling | Owning app repo | App-specific deployment docs | --- ## Do not ask ops-warden ```bash warden route show openbao-api-key --json warden route show database-dynamic-credentials --json # after promotion ``` Never paste DB passwords, connection strings with credentials, or root DB admin tokens in Git, State Hub, logs, or agent chat. --- ## Platform path convention From `railiance-platform/docs/openbao.md`: ```text platform/databases/ ``` Dynamic credentials are issued via OpenBao database secrets engine roles — not static KV copies. Coordinate the exact mount and role name with platform before wiring workloads. **Promotion gate:** catalog entry stays `status: draft` until the database secrets engine and consumer role exist in the live cluster. --- ## Worker checklist ### 1. Confirm need type - [ ] Short-lived DB password (dynamic) vs long-lived KV secret — prefer dynamic - [ ] Target database identified (CNPG cluster, service name, database name) - [ ] flex-auth policy requires approval for this read (if tenant policy says so) ### 2. Platform provisioning (operator) - [ ] Database secrets engine configured with least-privilege creation statements - [ ] Role TTL aligned to workload session (minutes–hours, not days) - [ ] Path registered under `platform/databases/` - [ ] Audit logging enabled on secret access ### 3. Workload consumption - [ ] App uses ESO or CSI to materialize username/password into K8s Secret - [ ] Connection pool handles credential rotation before lease expiry - [ ] No hard-coded passwords in Helm values or ConfigMaps ### 4. Verify - [ ] App connects with issued credentials - [ ] Lease renewal or re-read succeeds before expiry - [ ] Revocation on pod teardown (if policy requires) ### 5. Rotation / revocation - [ ] OpenBao revokes lease on role change - [ ] Platform operator documents break-glass DB admin path separately (not via warden) --- ## Owner-repo next actions | Repo | Action | | --- | --- | | `railiance-platform` | Configure database secrets engine, roles, and policies | | Owning application | Wire ESO/CSI and connection handling for lease TTL | | `flex-auth` | Policy for database credential requests (if gated) | --- ## See also - `railiance-platform/docs/openbao.md` - `railiance-platform/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md` - `wiki/CredentialRouting.md#routing-table`