Comprehensive and Detailed in Depth Explanation:
The Database secrets engine generates dynamic credentials for database access. The endpoint database/creds/ < role > (e.g., read_only_role) provides these credentials via a read operation. Let’s analyze:
Option A: capabilities = [ " generate " ] There’s no generate capability in Vault policies. Capabilities are create, read, update, delete, list, etc. This is invalid. Incorrect.
Option B: capabilities = [ " update " ] update (PUT) modifies existing data, not generates credentials. The creds endpoint uses GET. Incorrect.
Option C: capabilities = [ " list " ] list retrieves metadata or paths, not credential data. Incorrect.
Option D: capabilities = [ " read " ] Generating dynamic credentials involves a GET request to database/creds/ < role > , mapped to the read capability. This policy allows it. Correct.
Detailed Mechanics:
For a role read_only_role defined with vault write database/roles/read_only_role db_name=my-db creation_statements= " CREATE USER... " , a user with read on database/creds/read_only_role can run vault read database/creds/read_only_role to get temporary credentials. Vault’s policy system aligns HTTP verbs to capabilities: GET = read, PUT = update. This counterintuitive mapping (GET for creation) is specific to dynamic secrets.
Overall Explanation from Vault Docs:
“Generating database credentials requires read capability on database/creds/ < role > … Despite creating credentials, the HTTP request is a GET.”
[Reference: https://developer.hashicorp.com/vault/tutorials/db-credentials/database-secrets, ]