Add info on DynamoDB from Jira SPE-125 (#23682)

* Add info on DynamoDB from Jira SPE-125 * Update website/content/docs/secrets/databases/index.mdx Co-authored-by: Sarah Chavis <[email protected]> * Update website/content/docs/secrets/databases/index.mdx Co-authored-by: Sarah Chavis <[email protected]> * Update website/content/docs/secrets/databases/index.mdx Co-authored-by: Sarah Chavis <[email protected]> --------- Co-authored-by: Sarah Chavis <[email protected]>
hashicorp · Oct 16, 2023 · c2f5ee0 · c2f5ee0
1 parent bc4be73
commit c2f5ee0
Showing 1 changed file with 65 additions and 1 deletion.
diff --git a/website/content/docs/secrets/databases/index.mdx b/website/content/docs/secrets/databases/index.mdx
@@ -42,7 +42,7 @@ associated user account in the database.
 <Warning title="Do not use static roles for root database credentials">
    Do not manage the same root database credentials that you provide to Vault in
    <tt>config/</tt> with static roles.
-   
+
    Vault does not distinguish between standard credentials and root credentials
    when rotating passwords. If you assign your root credentials to a static
    role, any dynamic or static users managed by that database configuration will
@@ -277,6 +277,70 @@ password='your#StrongPassword%' \
 disable_escaping="true"
 ```
 
+## Unsupported databases
+
+### AWS DynamoDB
+
+Amazon Web Services (AWS) DynamoDB is a fully managed, serverless, key-value NoSQL database service. While
+DynamoDB is not supported by the database secrets engine, you can use the [AWS secrets engine](/vault/docs/secrets/aws)
+to provision dynamic credentials capable of accessing DynamoDB.
+
+1. Verify you have the AWS secrets engine enabled and configured.
+
+1. Create a role with the necessary permissions for your users to access DynamoDB. For example:
+
+   ```shell-session
+   $ vault write aws/roles/aws-dynamodb-read \
+           credential_type=iam_user \
+           policy_document=-<<EOF
+   {
+   	"Version": "2012-10-17",
+   	"Statement": [
+   		{
+   			"Effect": "Allow",
+   			"Action": [
+   				"dynamodb:DescribeTable",
+   				"dynamodb:GetItem",
+   				"dynamodb:GetRecords"
+   			],
+   			"Resource": "arn:aws:dynamodb:us-east-1:1234567891:table/example-table"
+   		},
+   		{
+   			"Effect": "Allow",
+   			"Action": "dynamodb:ListTables",
+   			"Resource": "*"
+   		}
+   	]
+   }
+   EOF
+   ```
+
+1. Generate dynamic credentials for DynamoDB using the `aws-dynamodb-read` role:
+
+   ```shell-session
+   $ vault read aws/creds/aws-dynamodb-read
+   Key                Value
+   ---                -----
+   lease_id           aws/creds/my-role/kbSnl9WSDzOXQerd8GiVh75N.DACNl
+   lease_duration     1h
+   lease_renewable    true
+   access_key         AKALMNOP123456
+   secret_key         xY4XhS3AsM3s+R33tCaybsT2XI6BVL+vF+khbbYD
+   security_token     <nil>
+   ```
+
+1. Use the dynamic credentials generated by Vault to access DynamoDB. For example, to connect with the
+   the [AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/dynamodb/).
+
+   ```shell-session
+   $ aws dynamodb list-tables --region us-east-1
+   {
+       "TableNames": [
+           "example-table"
+       ]
+   }
+   ```
+
 ## Tutorial
 
 Refer to the following step-by-step tutorials for more information: