I'm working on a project involving managed, credential-less database access and I've noticed that different companies have unique methods for managing database credentials, especially for on-call staff during troubleshooting or support. In my experience, teams often use shared, read-only credentials stored in public password managers, which aren't rotated frequently. Moreover, these credentials usually require VPN access. I'm eager to learn about the best practices that others in the industry are following. What methods do you use and recommend for safe and effective database access?
5 Answers
If you're working in an AWS environment, I recommend setting up a single 'break glass' IAM role. This way, all necessary users can assume this role when needed, simplifying management, and you can easily track who used it through CloudTrail.
We're utilizing Hashicorp Vault for JIT (Just-In-Time) credentials. Each DB has predefined roles to assign temporary users to developers, keeping permissions secure for different environments, including production.
That’s intriguing! Do the temporary roles actually auto-delete after use?
And how do your team members connect to the production databases? Is it through VPN or a jump box?
In our case, we keep staging credentials in a password manager like 1Password, but for production, it usually involves asking a DevOps engineer to run queries directly, since developers don't have access to production databases at all.
Haha, yeah that's the reality! If you're not part of the platform team, it’s tough to touch a prod DB.
Interesting! Do you use any ticketing systems for those requests?
Our company transitioned to using Bytebase for managing database requests. Previously, we had to ask DevOps to run queries, which became overwhelming. Now we can request different access levels and set automatic approvals for lower environments.
Sounds efficient! I love that Bytebase also keeps an audit trail—it must help with accountability.
We’ve implemented an automated system for accessing databases where users can request different access levels that range from read-only to full DBA permissions. Typically, normal access requests are automatically approved for short time frames to speed things up.
That sounds quite user-friendly! It must save a lot of headaches compared to manual requests.
That's a solid approach! Using AWS' IAM features definitely streamlines the management of permissions.