Skip to content

Quick Start

Prerequisites

  • Go 1.26+
  • A running ClickHouse instance
  • A running Vault instance (dev mode is fine for testing)

Build the plugin

make build              # bin/clickvault, current OS/arch
make build-linux-amd64  # bin/clickvault-linux-amd64
make sha256             # builds linux/amd64 and prints its sha256sum

Register with Vault

Build the plugin, register it with Vault's plugin catalog, then configure a connection and roles. The scripts/setup_vault.sh script automates all of this against a dev Vault server:

export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=<token with access to sys/plugins and the database engine>
export CLICKHOUSE_VAULT_ADMIN_PASSWORD=<password for ClickHouse admin user>

./scripts/setup_vault.sh

Manual setup

If you prefer to do it step by step:

SHA256=$(sha256sum bin/clickvault-linux-amd64 | awk '{print $1}')

vault secrets enable database

vault plugin register \
  -sha256="$SHA256" \
  database clickvault

vault write database/config/pos-clickhouse \
  plugin_name=clickvault \
  connection_url="clickhouse://clickhouse:9000" \
  username="vault_admin" \
  password="$CLICKHOUSE_VAULT_ADMIN_PASSWORD" \
  cluster=""

Create a dynamic role

vault write database/roles/pos-analytics-dynamic \
  db_name=pos-clickhouse \
  creation_statements='CREATE USER "{{username}}" IDENTIFIED WITH sha256_password BY '"'"'{{password}}'"'"'; GRANT analytics ON default.* TO "{{username}}";' \
  default_ttl="24h" \
  max_ttl="48h" \
  password_policy="clickhouse-password-policy"

Read a lease with vault read database/creds/pos-analytics-dynamic. Vault creates a new ClickHouse user for that lease and drops it automatically when the lease expires or is revoked.

Create a static role

vault write database/static-roles/pos-service-account \
  db_name=pos-clickhouse \
  username="pos_service" \
  rotation_period="72h" \
  password_policy="clickhouse-password-policy"

The ClickHouse user pos_service must already exist. Vault rotates its password every 72 hours and hands out the current password with vault read database/static-creds/pos-service-account.