We want to use dynamic database roles (MySQL) to create databases and users on the fly.
Creation statements:
CREATE DATABASE IF NOT EXISTS `{{name}}`;
CREATE USER IF NOT EXISTS '{{name}}'@'%' IDENTIFIED BY '{{password}}';
GRANT ALL ON `{{name}}`.* TO '{{name}}'@'%';
The idea is to remove the users and their databases once the leases are expired, which happens if the workload/pods got deleted and so no renewal was made in TTL.
Revocation statements:
DROP USER IF EXISTS '{{name}}'@'%';
DROP DATABASE IF EXISTS `{{name}}`;
We’re using VaultDynamicSecret to request, consume and renew these dynamic secrets/leases.
This works totally fine until the max TTL setting unintentionally causes the removal of the users and databases.
Is there any way to set Max TTL to infnity in future?
Removing the revocation statements will leave a lot of unused users and databases, well the db could be removed by the user, but the user will never have the permission to remove them self.
Edit: I’ve set max TTL to: 273 years 9 months 15 days 1 hour 