diff --git a/website/content/docs/secrets/databases/index.mdx b/website/content/docs/secrets/databases/index.mdx index 49427677d80e..c08c0614a44e 100644 --- a/website/content/docs/secrets/databases/index.mdx +++ b/website/content/docs/secrets/databases/index.mdx @@ -42,7 +42,7 @@ associated user account in the database. Do not manage the same root database credentials that you provide to Vault in config/ with static roles. - + Vault does not distinguish between standard credentials and root credentials when rotating passwords. If you assign your root credentials to a static role, any dynamic or static users managed by that database configuration will @@ -277,6 +277,70 @@ password='your#StrongPassword%' \ disable_escaping="true" ``` +## Unsupported databases + +### AWS DynamoDB + +Amazon Web Services (AWS) DynamoDB is a fully managed, serverless, key-value NoSQL database service. While +DynamoDB is not supported by the database secrets engine, you can use the [AWS secrets engine](/vault/docs/secrets/aws) +to provision dynamic credentials capable of accessing DynamoDB. + +1. Verify you have the AWS secrets engine enabled and configured. + +1. Create a role with the necessary permissions for your users to access DynamoDB. For example: + + ```shell-session + $ vault write aws/roles/aws-dynamodb-read \ + credential_type=iam_user \ + policy_document=-< + ``` + +1. Use the dynamic credentials generated by Vault to access DynamoDB. For example, to connect with the + the [AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/dynamodb/). + + ```shell-session + $ aws dynamodb list-tables --region us-east-1 + { + "TableNames": [ + "example-table" + ] + } + ``` + ## Tutorial Refer to the following step-by-step tutorials for more information: