Enable the database secrets engine: vault secrets enable database
Configure a connection named for your database by writing to /v1/database/config/CONN_NAME with a plugin_name of postgresql-database-plugin, the connection_url (using a high-privilege account for credential management), and the list of allowed_roles
Create a role at /v1/database/roles/ROLE_NAME specifying db_name, creation_statements (a SQL template using Vault's name and password placeholders), default_ttl, and max_ttl
Applications request credentials with vault read database/creds/ROLE_NAME; Vault creates a unique PostgreSQL user and returns username and password with a lease
Configure your application to renew the lease before expiry using the Vault SDK or agent; on renewal failure, re-request new credentials and update the connection pool
Set up a Vault policy granting the application identity read access to database/creds/ROLE_NAME and deny access to database/config/*
Known gotchas
The management account used in connection_url must have CREATEROLE and the ability to grant the desired privileges; an underprivileged account will cause credential creation to fail silently until a request is made
If the Vault server is unavailable when a lease expires, the application loses database access; implement a credential cache with a grace period
Dynamic credentials leave behind PostgreSQL roles if Vault is unable to revoke them on expiry (e.g., after a crash); periodically audit pg_roles for stale Vault-generated accounts
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp