1--- 2layout: "docs" 3page_title: "Cassandra - Secrets Engines" 4sidebar_title: "Cassandra <sup>DEPRECATED</sup>" 5sidebar_current: "docs-secrets-cassandra" 6description: |- 7 The Cassandra secrets engine for Vault generates database credentials to access Cassandra. 8--- 9 10# Cassandra Secrets Engine 11 12~> **Deprecation Note:** This secrets engine is deprecated in favor of the 13combined databases secrets engine added in v0.7.1. See the documentation for 14the new implementation of this secrets engine at 15[Cassandra database plugin](/docs/secrets/databases/cassandra.html). 16 17The Cassandra secrets engine for Vault generates database credentials 18dynamically based on configured roles. This means that services that need 19to access a database no longer need to hardcode credentials: they can request 20them from Vault, and use Vault's leasing mechanism to more easily roll keys. 21 22Additionally, it introduces a new ability: with every service accessing 23the database with unique credentials, it makes auditing much easier when 24questionable data access is discovered: you can track it down to the specific 25instance of a service based on the Cassandra username. 26 27This page will show a quick start for this secrets engine. For detailed documentation 28on every path, use `vault path-help` after mounting the secrets engine. 29 30## Quick Start 31 32The first step to using the Cassandra secrets engine is to mount it. Unlike the 33`kv` secrets engine, the `cassandra` secrets engine is not mounted by default. 34 35```text 36$ vault secrets enable cassandra 37Success! Enabled the cassandra secrets engine at: cassandra/ 38``` 39 40Next, Vault must be configured to connect to Cassandra. This is done by 41writing one or more hosts, a username, and a password: 42 43```text 44$ vault write cassandra/config/connection \ 45 hosts=localhost \ 46 username=cassandra \ 47 password=cassandra 48``` 49 50In this case, we've configured Vault with the user "cassandra" and password "cassandra", 51It is important that the Vault user is a superuser, in order to manage other user accounts. 52 53The next step is to configure a role. A role is a logical name that maps 54to a policy used to generated those credentials. For example, lets create 55a "readonly" role: 56 57```text 58$ vault write cassandra/roles/readonly \ 59 creation_cql="CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER; \ 60 GRANT SELECT ON ALL KEYSPACES TO {{username}};" 61Success! Data written to: cassandra/roles/readonly 62``` 63 64By writing to the `roles/readonly` path we are defining the `readonly` role. 65This role will be created by evaluating the given `creation_cql` statements. By 66default, the `{{username}}` and `{{password}}` fields will be populated by 67Vault with dynamically generated values. This CQL statement is creating 68the named user, and then granting it `SELECT` or read-only privileges 69to keyspaces. More complex `GRANT` queries can be used to 70customize the privileges of the role. See the [CQL Reference Manual](https://docs.datastax.com/en/cql/3.1/cql/cql_reference/grant_r.html) 71for more information. 72 73To generate a new set of credentials, we simply read from that role: 74Vault is now configured to create and manage credentials for Cassandra! 75 76```text 77$ vault read cassandra/creds/readonly 78Key Value 79--- ----- 80lease_id cassandra/creds/test/7a23e890-3a26-531d-529b-92d18d1fa63f 81lease_duration 3600 82lease_renewable true 83password dfa80eea-ccbe-b228-ebf7-e2f62b245e71 84username vault-root-1434647667-9313 85``` 86 87By reading from the `creds/readonly` path, Vault has generated a new 88set of credentials using the `readonly` role configuration. Here we 89see the dynamically generated username and password, along with a one 90hour lease. 91 92Using ACLs, it is possible to restrict using the `cassandra` secrets engine such 93that trusted operators can manage the role definitions, and both 94users and applications are restricted in the credentials they are 95allowed to read. 96 97If you get stuck at any time, simply run `vault path-help cassandra` or with a 98subpath for interactive help output. 99 100## API 101 102The Cassandra secrets engine has a full HTTP API. Please see the 103[Cassandra secrets engine API](/api/secret/cassandra/index.html) for more 104details. 105