hashicorp · vinay-gopalan · Oct 7, 2025 · Oct 6, 2025 · Oct 7, 2025 · Oct 7, 2025
@@ -551,7 +551,7 @@ this in order to know the password.
 - `self_managed_password` `(string)` – <EnterpriseAlert product="vault" inline />
   The password corresponding to the username in the database. Required when using
   the Rootless Password Rotation workflow for static roles. Only enabled for select
-  DB engines (Postgres). This parameter is deprecated in favor of `password`.
+  DB engines (Postgres, Oracle). The `self_managed_password` parameter is deprecated in favor of `password`.
 
 - `db_name` `(string: <required>)` - The name of the database connection to use
   for this role.

@@ -156,6 +156,76 @@ you will need to enable ipc_lock capabilities for the plugin binary.
 
    See the [Commands](/vault/docs/commands#files) docs for more details.
 
+### Rootless configuration and password rotation for static roles
+
+@include 'alerts/enterprise-only.mdx'
+
+The Oracle database plugin supports static roles (including password rotation)
+with a rootless DB connection configuration.
+
+With a rootless configuration you can onboard static DB users and use static
+role rotation through Vault without requiring privileged root accounts for
+connection configuration. Instead of using a single root connection, each static
+role has multiple dedicated connections to the database. We highly recommend
+onboarding database users as static roles with the minimum set of privileges
+possible. Each static role opens a new connection into the database and granting
+minimum privileges helps Vault avoid creating multiple, highly-privileged
+connections to an external system.
+
+With rootless connections, Vault can become out of sync with the database user
+if out-of-band password rotations occur. To resolve the associated rotation
+errors, you need to manually update the password in your external Oracle
+database.
+
+Vault does not support dynamic roles/credentials with rootless DB connections.
+
+## Setup
+
+1.  Enable the database secrets engine if it is not already enabled:
+
+    ```shell-session
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
+
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  Configure a connection to your database without root credentials and enable
+    the rootless workflow using the `self_managed` parameter. For example:
+
+    ```shell-session
+    $ vault write database/config/my-oracle-database \
+    plugin_name="oracle-database-plugin" \
+    allowed_roles="my-role" \
+    connection_url="{{username}}/{{password}}@//localhost:1521/database-name" \
+    self_managed=true
+    ```
+
+1.  Configure a static role that creates a dedicated connection to a user in
+    the Oracle database with the `password` parameter. For example:
+
+    ```shell-session
+    $ vault write database/static-roles/my-role \
+    db_name="my-oracle-database" \
+    username="staticuser" \
+    password="password" \
+    rotation_period="1h"
+    ```
+
+1.  Verify the new static credentials with `vault read`. For example:
+
+    ```shell-session
+    $ vault read database/static-creds/my-role
+    Key                    Value
+    ---                    -----
+    last_vault_rotation    2024-09-11T14:15:13.764783-07:00
+    password               XZY42BVc-UO5bMsbgxrW
+    rotation_period        1h
+    ttl                    59m55s
+    username               staticuser
+    ```
+
 ### Connect using SSL
 
 If the Oracle server Vault is trying to connect to uses an SSL listener, the database