Version: 1.0

Dynamic Secrets

Dynamic Secrets generate ephemeral database credentials with automatic expiry. Instead of storing static usernames and passwords that live forever, SyVault creates temporary database users on-the-fly, scoped with the minimum required permissions, and automatically drops them when the lease expires.

How It Works

You configure a target -- a database connection with admin credentials that SyVault can use to create and drop users.
An application requests a lease via the API, specifying a TTL (time-to-live).
SyVault connects to the target database, creates a temporary user with a random password, and grants the permissions defined in the target configuration.
The application receives the temporary credentials and uses them to connect.
When the lease expires (or is revoked early), SyVault connects to the target and drops the temporary user.

Supported Targets

Database	Create Action	Revoke Action
PostgreSQL	`CREATE ROLE` + `GRANT` on specified databases/schemas	`DROP ROLE` (after terminating active connections)
MySQL	`CREATE USER` + `GRANT` on specified databases/tables	`DROP USER` (after killing active sessions)

API Reference

Create a Lease

POST /api/sm/v1/dynamic/lease

curl -X POST https://vault.example.com/api/sm/v1/dynamic/lease \
  -H "Authorization: Bearer $SM_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "record_uid": "7Kj9mNpQ2xRs",
    "ttl_seconds": 3600
  }'

Field	Type	Required	Description
`record_uid`	string	Yes	The UID of the dynamic secret target record.
`ttl_seconds`	integer	Yes	Lease duration in seconds. Maximum: 86400 (24 hours).

Response (201):

{
  "lease_id": "lease-uuid-1",
  "username": "vf_tmp_a8f3k2m9",
  "password": "xK9#mP2$qR7wL4nB",
  "connection_string": "postgresql://vf_tmp_a8f3k2m9:xK9%23mP2%24qR7wL4nB@db.example.com:5432/myapp",
  "expires_at": "2026-04-06T13:00:00Z"
}

List Active Leases

GET /api/sm/v1/dynamic/leases

curl https://vault.example.com/api/sm/v1/dynamic/leases \
  -H "Authorization: Bearer $SM_TOKEN"

Response (200):

{
  "data": [
    {
      "lease_id": "lease-uuid-1",
      "record_uid": "7Kj9mNpQ2xRs",
      "username": "vf_tmp_a8f3k2m9",
      "created_at": "2026-04-06T12:00:00Z",
      "expires_at": "2026-04-06T13:00:00Z"
    }
  ]
}

Revoke a Lease

DELETE /api/sm/v1/dynamic/leases/{id}

curl -X DELETE https://vault.example.com/api/sm/v1/dynamic/leases/lease-uuid-1 \
  -H "Authorization: Bearer $SM_TOKEN"

Returns 204 No Content. The temporary database user is dropped immediately.

Usage Examples

Python SDK

from syvault import SecretsManagerClient

client = SecretsManagerClient(
    server="https://vault.example.com",
    client_id="c9a1b2d3-4e5f-6789-abcd-ef0123456789",
    private_key_path="/etc/syvault/client.pem"
)

# Create a 1-hour lease
lease = client.dynamic.create_lease(
    record_uid="7Kj9mNpQ2xRs",
    ttl_seconds=3600
)

print(f"Connect with: {lease.connection_string}")
print(f"Expires at:   {lease.expires_at}")

# Use the credentials
import psycopg2
conn = psycopg2.connect(lease.connection_string)

# When done, revoke early
client.dynamic.revoke_lease(lease.lease_id)

Kubernetes CronJob

Use a CronJob to rotate database credentials on a schedule. The init container fetches a fresh lease, writes it to a shared volume, and the application container reads it on startup.

apiVersion: batch/v1
kind: CronJob
metadata:
  name: db-credential-refresh
  namespace: myapp
spec:
  schedule: "0 */1 * * *"   # every hour
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: myapp-sa
          initContainers:
            - name: fetch-lease
              image: syvault/cli:latest
              command:
                - sh
                - -c
                - |
                  sy dynamic lease create \
                    --record-uid 7Kj9mNpQ2xRs \
                    --ttl 3600 \
                    --output /shared/db-creds.json
              volumeMounts:
                - name: shared
                  mountPath: /shared
              env:
                - name: SY_SERVER
                  value: "https://vault.example.com"
                - name: SY_CLIENT_ID
                  valueFrom:
                    secretKeyRef:
                      name: syvault-sm
                      key: client-id
                - name: SY_PRIVATE_KEY
                  valueFrom:
                    secretKeyRef:
                      name: syvault-sm
                      key: private-key
          containers:
            - name: db-migration
              image: myapp/migrations:latest
              command: ["./run-migrations.sh"]
              volumeMounts:
                - name: shared
                  mountPath: /shared
                  readOnly: true
          volumes:
            - name: shared
              emptyDir: {}
          restartPolicy: OnFailure

Security Considerations

Maximum TTL. Leases are capped at 86400 seconds (24 hours). Longer-lived credentials should use static secrets with rotation instead.
Credential isolation. Each lease creates a unique database user. Compromising one lease does not affect others.
Revocation is immediate. When a lease is revoked, SyVault terminates active connections from the temporary user before dropping the role, ensuring no lingering sessions.
Admin credential security. The target database admin credentials are stored as an encrypted record in SyVault. They are decrypted only in-memory on the server during user creation and revocation.
Audit logging. Lease creation and revocation events are recorded in the Secrets Manager audit log, including the client ID, target, and TTL.

How It Works​

Supported Targets​

API Reference​

Create a Lease​

List Active Leases​

Revoke a Lease​

Usage Examples​

Python SDK​

Kubernetes CronJob​

Security Considerations​