Admin password rotation could be achieved using less privileges

[zehuac]

Hello,

When following the instructions to set up Vault-Couchbase configuration, we granted roles "Cluster Admin" and "Security Admin" to the vault admin user, and saw the following error when trying to rotate the password:

~ » vault write -force database/rotate-root/my-couchbase-database  
Error writing data to database/rotate-root/my-couchbase-database: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/database/rotate-root/my-couchbase-database
Code: 500. Errors:

* 1 error occurred:
    * failed to update user: {"message":"Forbidden. User needs one of the following permissions","permissions":["cluster.admin.security.admin!write"]} | {"unique_id":"7e84bc10-ba53-427e-a103-73c48b441e34","endpoint":"http://127.0.0.1:8091"}

We did some experiments and found that it seems the Full Admin role is a must to achieve password rotation.

We have verified roles "Cluster Admin" and "Security Admin" are enough to change user passwords by using this changePasswod API. While currently, the couchbase plugin is using this one (correct me if I am wrong).

It's definitely better if we could minimize the permissions needed by this vault db admin user. Please suggest if missed anything or is it possible to fix it? Thank you in advance for any help!

[austingebauer]

Thanks for opening this, @zehuac. Your assessment on this is correct. The current API used by this plugin requires the full_admin role to rotate the root credential. We're exploring the option of instead using the changePassword API so that the admin user can have a less permissive role.

[raycardillo]

@austingebauer Support for this has been implemented. It's currently designated as uncommitted but it has been stable since it was a fairly simple change. It will be upgraded to committed in our upcoming SDK API 3.5 releases (coming circa March), so I just wanted to circle back around and make sure you were aware. Is the plugin going to be updated to make use of this?