The External Secrets Enterprise product suite is a premium product. It requires a specific subscription. Contact us for more information.
In order to use the Neo4j User Generator, you must have the Enterprise Distribution of ESO available via ESI Agent or via our Helm chart bundle

Introduction

Managing user credentials for Neo4j databases manually can be error-prone and tedious. The Neo4j User Generator for ESO allows you to dynamically create, manage, and rotate database users with native integration. This is useful when providing applications with scoped credentials to Neo4j, reducing the operational overhead of manual user management and improving security posture.

Output Keys and Values

KeyDescription
userThe generated Neo4j username
passwordThe generated Neo4j password

Parameters

KeyDefaultDescription
databaseneo4jThe name of the Neo4j database to connect to.
auth.uriRequiredThe connection URI for the Neo4j instance. Example: bolt://neo4j.default.svc.cluster.local:7687
auth.basic.usernameoptionalUsername for basic authentication. Required if auth.basic is used.
auth.basic.passwordoptionalKubernetes secret reference for the password. Required if auth.basic is used.
auth.bearer.tokenoptionalKubernetes secret reference for a bearer token. Optional alternative to basic auth.
enterprisefalseSet to true if the Neo4j instance is running in Enterprise Edition.
user.userRequiredThe username to create. Must not contain dashes (-).
user.suffixSize8Length of the random suffix appended to the username. If set to 0, no suffix is appended.
user.roles[]List of roles to assign to the user. Only supported in Neo4j Enterprise Edition.
user.homeoptionalThe home database for the user. Only supported in Neo4j Enterprise Edition.
user.providernativeAuthentication provider for the user. Only "native" is supported. "native" provider is used for Neo4j Community

Set up

Neo4j Database Requirements

  • Your Neo4j instance must support user management. This works with the native authentication provider (auth_provider: native).
  • Neo4j Enterprise is necessary for management of user Home, States and Roles

Neo4j Permissions

The admin user provided in the spec must have sufficient permissions to create and delete users in Neo4j. Typically, the built-in neo4j admin account has the required permissions.

Supported Providers

At this moment, only the native Neo4j authentication provider is supported.

Authentication

Neo4j Generator supports two types of authentication:
  • Basic Authentication: Username and password credentials.
  • Bearer Authentication: A bearer token secret.

Generator Config

apiVersion: generators.external-secrets.io/v1alpha1
kind: Neo4j
metadata:
  name: neo4j-generator
  namespace: default
spec:
  database: neo4j # Optional; defaults to 'neo4j'
  enterprise: false # Set to true if using Neo4j Enterprise
  auth:
    uri: bolt://neo4j.default.svc.cluster.local:7687
    basic:
      username: neo4j
      password:
        name: neo4j-admin-secret
        key: password
  user:
    user: appuser
    randomSufix: true
    roles: [] # Only applies if enterprise is true
    provider: native

ExternalSecret Config

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: neo4j-credentials
  namespace: default
spec:
  refreshInterval: 1h # Rotates every 1 hour
  dataFrom:
    - sourceRef:
        generatorRef:
          apiVersion: generators.external-secrets.io/v1alpha1
          kind: Neo4j
          name: neo4j-generator

Using the Generated Secret

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: my-container
          image: my-image:latest
          env:
            - name: NEO4J_USER
              valueFrom:
                secretKeyRef:
                  name: neo4j-credentials
                  key: user
            - name: NEO4J_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: neo4j-credentials
                  key: password

Notes and Considerations

  • The generator does not manage roles if the Neo4j instance is Community Edition, as role-based access control is only available in Enterprise Edition.
  • The generator will create the user if it does not exist and can optionally suspend or delete the user during cleanup operations, depending on the Neo4j edition. In the Enterprise edition, users are suspended during cleanup instead of being deleted, whereas in the Community edition, users are permanently deleted.