Hi! I'm looking for a web UI to give developers access to databases (PostgreSQL & MySQL) I'd like to fine-tune access rights for developers to some databases (based on their product team for example), and I don't want them to paste/type in the passwords (password should be stored centrally, and I give them the right to access X database and they can connect without the need to handle the passwords) Ideally (2), if all the databases credentials can be Terraformable (could be a JSON file mounted in a K8S pod for example), and developers can connect with oauth2/openidconnect What tool do you usually use for this use case?

Something like https://github.com/ankane/blazer might work if you combine it with your secrets management of choice to inject the credentials in wherever it is running?

Thanks @Andrew Kirkpatrick will have to look 🙂

What we've seen work best is for developers to use their preferred tool to access databases (e.g. dbeaver). We've secured the credentials and network access part by using a mix of Hashicorp Boundary and Hashicorp Vault by making Vault generate dynamic credentials for a specific boundary session, Boundary opens a port-forward session to the database and output the dynamic credentials that can then be used in their preferred tool.

Interesting @Alan Longuet thanks for sharing! With this solution, how to do you audit who did what and when? Does Boundary act as a proxy and then log all requests?

I don't think Boundary supports that just yet, to my knowledge it supports SSH Recording only today but you're able to correlate dynamic credentials and identity with Boundary/Vault logs and with the audit logs of your database you should be able to have an entire session recording. But that's not a requirement for us, we know we're able to have that kind of auditability but we don't really use it for now. If that's a hard requirement on your part, I think it might be harder compared to a more managed solution where this kind of auditability is de-facto available

@Arnaud Vatin Depending on what you want your developers to do with those databases, you could give them access to a complete replica using Release Instant Datasets. That way each of them has an on-demand dataset they can access, break, modify and do whatever they want, without affecting the source dataset and other members. That's what we use with our developers.