Dynamic Secrets
Dynamic Secrets generate ephemeral database credentials with automatic expiry. Instead of storing static usernames and passwords that live forever, SyVault creates temporary database users on-the-fly, scoped with the minimum required permissions, and automatically drops them when the lease expires.
How It Works
- You configure a target -- a database connection with admin credentials that SyVault can use to create and drop users.
- An application requests a lease via the API, specifying a TTL (time-to-live).
- SyVault connects to the target database, creates a temporary user with a random password, and grants the permissions defined in the target configuration.
- The application receives the temporary credentials and uses them to connect.
- When the lease expires (or is revoked early), SyVault connects to the target and drops the temporary user.
Supported Targets
| Database | Create Action | Revoke Action |
|---|---|---|
| PostgreSQL | CREATE ROLE + GRANT on specified databases/schemas | DROP ROLE (after terminating active connections) |
| MySQL | CREATE USER + GRANT on specified databases/tables | DROP USER (after killing active sessions) |
API Reference
Create a Lease
POST /api/sm/v1/dynamic/lease
curl -X POST https://vault.example.com/api/sm/v1/dynamic/lease \
-H "Authorization: Bearer $SM_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"record_uid": "7Kj9mNpQ2xRs",
"ttl_seconds": 3600
}'
| Field | Type | Required | Description |
|---|---|---|---|
record_uid | string | Yes | The UID of the dynamic secret target record. |
ttl_seconds | integer | Yes | Lease duration in seconds. Maximum: 86400 (24 hours). |
Response (201):
{
"lease_id": "lease-uuid-1",
"username": "vf_tmp_a8f3k2m9",
"password": "xK9#mP2$qR7wL4nB",
"connection_string": "postgresql://vf_tmp_a8f3k2m9:xK9%23mP2%24qR7wL4nB@db.example.com:5432/myapp",
"expires_at": "2026-04-06T13:00:00Z"
}
List Active Leases
GET /api/sm/v1/dynamic/leases
curl https://vault.example.com/api/sm/v1/dynamic/leases \
-H "Authorization: Bearer $SM_TOKEN"
Response (200):
{
"data": [
{
"lease_id": "lease-uuid-1",
"record_uid": "7Kj9mNpQ2xRs",
"username": "vf_tmp_a8f3k2m9",
"created_at": "2026-04-06T12:00:00Z",
"expires_at": "2026-04-06T13:00:00Z"
}
]
}
Revoke a Lease
DELETE /api/sm/v1/dynamic/leases/{id}
curl -X DELETE https://vault.example.com/api/sm/v1/dynamic/leases/lease-uuid-1 \
-H "Authorization: Bearer $SM_TOKEN"
Returns 204 No Content. The temporary database user is dropped immediately.
Usage Examples
Python SDK
from syvault import SecretsManagerClient
client = SecretsManagerClient(
server="https://vault.example.com",
client_id="c9a1b2d3-4e5f-6789-abcd-ef0123456789",
private_key_path="/etc/syvault/client.pem"
)
# Create a 1-hour lease
lease = client.dynamic.create_lease(
record_uid="7Kj9mNpQ2xRs",
ttl_seconds=3600
)
print(f"Connect with: {lease.connection_string}")
print(f"Expires at: {lease.expires_at}")
# Use the credentials
import psycopg2
conn = psycopg2.connect(lease.connection_string)
# When done, revoke early
client.dynamic.revoke_lease(lease.lease_id)
Kubernetes CronJob
Use a CronJob to rotate database credentials on a schedule. The init container fetches a fresh lease, writes it to a shared volume, and the application container reads it on startup.
apiVersion: batch/v1
kind: CronJob
metadata:
name: db-credential-refresh
namespace: myapp
spec:
schedule: "0 */1 * * *" # every hour
jobTemplate:
spec:
template:
spec:
serviceAccountName: myapp-sa
initContainers:
- name: fetch-lease
image: syvault/cli:latest
command:
- sh
- -c
- |
sy dynamic lease create \
--record-uid 7Kj9mNpQ2xRs \
--ttl 3600 \
--output /shared/db-creds.json
volumeMounts:
- name: shared
mountPath: /shared
env:
- name: SY_SERVER
value: "https://vault.example.com"
- name: SY_CLIENT_ID
valueFrom:
secretKeyRef:
name: syvault-sm
key: client-id
- name: SY_PRIVATE_KEY
valueFrom:
secretKeyRef:
name: syvault-sm
key: private-key
containers:
- name: db-migration
image: myapp/migrations:latest
command: ["./run-migrations.sh"]
volumeMounts:
- name: shared
mountPath: /shared
readOnly: true
volumes:
- name: shared
emptyDir: {}
restartPolicy: OnFailure
Security Considerations
- Maximum TTL. Leases are capped at 86400 seconds (24 hours). Longer-lived credentials should use static secrets with rotation instead.
- Credential isolation. Each lease creates a unique database user. Compromising one lease does not affect others.
- Revocation is immediate. When a lease is revoked, SyVault terminates active connections from the temporary user before dropping the role, ensuring no lingering sessions.
- Admin credential security. The target database admin credentials are stored as an encrypted record in SyVault. They are decrypted only in-memory on the server during user creation and revocation.
- Audit logging. Lease creation and revocation events are recorded in the Secrets Manager audit log, including the client ID, target, and TTL.