Dynamic Secrets
Ephemeral database credentials
Dynamic secrets are short-lived credentials generated on demand. They are automatically revoked after their TTL expires, eliminating the risk of credential sprawl.
Supported Backends
| Backend | Description | Min TTL | Max TTL |
|---|---|---|---|
| PostgreSQL | Dynamic database users with configurable roles | 1m | 24h |
| MySQL | Ephemeral credentials with automatic cleanup | 1m | 24h |
| MongoDB | Scoped database access with TTL | 1m | 24h |
| RabbitMQ | Dynamic vhost permissions | 1m | 12h |
How It Works
- Application requests credentials from KMS
- KMS creates a temporary database user with scoped permissions
- Application uses the credentials for the TTL duration
- KMS automatically revokes the user when TTL expires
PostgreSQL Example
Configure the Backend
curl -X POST https://kms.lux.network/api/v1/dynamic-secrets/postgres \
-H "Authorization: Bearer $KMS_TOKEN" \
-d '{
"name": "app-db",
"host": "db.internal",
"port": 5432,
"database": "myapp",
"adminUser": "kms_admin",
"adminPassword": "<from-kms>",
"defaultTTL": "1h",
"maxTTL": "24h",
"creationStatement": "CREATE ROLE \"{{username}}\" WITH LOGIN PASSWORD '\''{{password}}'\'' VALID UNTIL '\''{{expiration}}'\''; GRANT SELECT, INSERT, UPDATE ON ALL TABLES IN SCHEMA public TO \"{{username}}\";"
}'Request Credentials
curl -X POST https://kms.lux.network/api/v1/dynamic-secrets/postgres/app-db/lease \
-H "Authorization: Bearer $KMS_TOKEN" \
-d '{"ttl": "2h"}'Response:
{
"leaseId": "lease-abc123",
"username": "kms_dyn_abc123",
"password": "randomSecurePassword",
"expiresAt": "2026-03-22T14:00:00Z"
}Revoke Early
curl -X DELETE https://kms.lux.network/api/v1/dynamic-secrets/leases/lease-abc123 \
-H "Authorization: Bearer $KMS_TOKEN"Benefits
- No long-lived database passwords
- Automatic cleanup of unused credentials
- Each application instance gets unique credentials
- Full audit trail of credential usage