»Couchbase Database Plugin HTTP API

The Couchbase database plugin is one of the supported plugins for the database secrets engine. This plugin generates database credentials dynamically based on configured roles for the Couchbase database.

»Configure Connection

In addition to the parameters defined by the Database Secrets Engine, this plugin has a number of parameters to further configure a connection.



  • hosts (string: <required>) – Specifies a set of comma-delimited Couchbase hosts to connect to. Must use couchbases:// scheme if tls is true.

  • username (string: <required>) – Specifies the username for Vault to use.

  • password (string: <required>) – Specifies the password corresponding to the given username.

  • tls (bool: false) – Specifies whether to use TLS when connecting to Couchbase.

  • insecure_tls (bool: false) – Specifies whether to skip verification of the server certificate when using TLS.

  • base64pem (string: "") – Required if tls is true. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.

  • bucket_name (string: "") - Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.

  • username_template (string) - Template describing how dynamic usernames are generated.

Default Username Template
V_{{.DisplayName | uppercase | truncate 64}}_{{.RoleName | uppercase | truncate 64}}_{{random 20 | uppercase}}_{{unix_time}}
V_{{.DisplayName | uppercase | truncate 64}}_{{.RoleName | uppercase | truncate 64}}_{{random 20 | uppercase}}_{{unix_time}}
Example Usernames:

»Sample Payload

  "plugin_name": "couchbase-database-plugin",
  "hosts": "couchbases://",
  "username": "user",
  "password": "pass",
  "allowed-roles": "my-*-role"
{  "plugin_name": "couchbase-database-plugin",  "hosts": "couchbases://",  "username": "user",  "password": "pass",  "allowed-roles": "my-*-role"}

»Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
$ curl \    --header "X-Vault-Token: ..." \    --request POST \    --data @payload.json \


Statements are configured during role creation and are used by the plugin to determine what is sent to the database on user creation, renewing, and revocation. For more information on configuring roles see the Role API in the database secrets engine docs.


The following are the statements used by this plugin. If not mentioned in this list the plugin does not support that statement type.

  • creation_statements (list: []) – Specifies a JSON string containing Couchbase RBAC roles to assign to created users. Any groups specified must already exist. Must be a single JSON string. If not provided, defaults to read-only admin.