Open zehuac opened 2 years ago
Thanks for opening this, @zehuac. Your assessment on this is correct. The current API used by this plugin requires the full_admin
role to rotate the root credential. We're exploring the option of instead using the changePassword API so that the admin user can have a less permissive role.
@austingebauer Support for this has been implemented. It's currently designated as uncommitted
but it has been stable since it was a fairly simple change. It will be upgraded to committed
in our upcoming SDK API 3.5 releases (coming circa March), so I just wanted to circle back around and make sure you were aware. Is the plugin going to be updated to make use of this?
Hello,
When following the instructions to set up Vault-Couchbase configuration, we granted roles "Cluster Admin" and "Security Admin" to the vault admin user, and saw the following error when trying to rotate the password:
We did some experiments and found that it seems the Full Admin role is a must to achieve password rotation.
We have verified roles "Cluster Admin" and "Security Admin" are enough to change user passwords by using this changePasswod API. While currently, the couchbase plugin is using this one (correct me if I am wrong).
It's definitely better if we could minimize the permissions needed by this vault db admin user. Please suggest if missed anything or is it possible to fix it? Thank you in advance for any help!