A DevOps team is using Vault's database secrets engine to generate dynamic credentials for a PostgreSQL database. They notice that the lease duration is set to 24 hours, but security policy requires that credentials expire after 1 hour. What should the team do to enforce the 1-hour expiration without changing the default lease TTL for all secrets?
Trap 1: Set the mount's max_lease_ttl to 1h.
This would affect all secrets from this mount, not just database credentials.
Trap 2: Ask each developer to set the TTL when requesting credentials.
Users can request a TTL, but it is capped by the role's max_ttl.
Trap 3: Use a periodic token with a period of 1h.
Periodic tokens are not appropriate for database credentials.
- A
Set the mount's max_lease_ttl to 1h.
Why wrong: This would affect all secrets from this mount, not just database credentials.
- B
Ask each developer to set the TTL when requesting credentials.
Why wrong: Users can request a TTL, but it is capped by the role's max_ttl.
- C
Configure the role with a ttl of 1h.
The role-level ttl overrides the default lease TTL.
- D
Use a periodic token with a period of 1h.
Why wrong: Periodic tokens are not appropriate for database credentials.