This message was deleted.

Something like https://github.com/ankane/blazer might work if you combine it with your secrets management of choice to inject the credentials in wherever it is running?

Thanks @Andrew Kirkpatrick will have to look 🙂

What we've seen work best is for developers to use their preferred tool to access databases (e.g. dbeaver). We've secured the credentials and network access part by using a mix of Hashicorp Boundary and Hashicorp Vault by making Vault generate dynamic credentials for a specific boundary session, Boundary opens a port-forward session to the database and output the dynamic credentials that can then be used in their preferred tool.

Interesting @Alan Longuet thanks for sharing! With this solution, how to do you audit who did what and when? Does Boundary act as a proxy and then log all requests?

I don't think Boundary supports that just yet, to my knowledge it supports SSH Recording only today but you're able to correlate dynamic credentials and identity with Boundary/Vault logs and with the audit logs of your database you should be able to have an entire session recording. But that's not a requirement for us, we know we're able to have that kind of auditability but we don't really use it for now. If that's a hard requirement on your part, I think it might be harder compared to a more managed solution where this kind of auditability is de-facto available

@Arnaud Vatin Depending on what you want your developers to do with those databases, you could give them access to a complete replica using Release Instant Datasets. That way each of them has an on-demand dataset they can access, break, modify and do whatever they want, without affecting the source dataset and other members. That's what we use with our developers.