Does vault static-creds ttl remains 0?

Vault
1

I have created a role :

vault write database/static-roles/myrole\
       db_name="DmsTenantPool" \
       rotation_period="10m" \
       username="user1"

static-creds:

bash-4.2# vault read  database/static-creds/myrole
Key                    Value
---                    -----
last_vault_rotation    2022-04-05T11:06:15.813655298Z
password               A1a-62oWSIy5u6fB7vi1
rotation_period        10m
ttl                    9m48s
username               user1

I have locked the user1 by connecting to DB with admin user.
As per my observation :
As soon as the TTL reaches 0 , vault rotates the password and updates rotation_period to 10m again and ttl counter begins.

But User is in locked state only.

It seems vault keeps rotating the credential in its config although user is in locked state. Is this an expected behavior ?

I was expecting that vault will not be able to rotate password as user is already locked. So the ttl will remain 0s .

Can anyone share their experience on this ?

2

What database is this? I don’t know of any database that can “lock” a user from the dba.
Locks usually prevent changes from the user, but not from the admin.

3

Its Oracle DB.

alter user username account lock

BTW, got it, it seems the vault root user rotates the password of the user1 although its locked, so the ttl is getting reset again.

4

I didn’t realize Vault checked the last password change and would track it.