Rotating AD Engine / Kerberos Auth Bind DN


Is there an established pattern for rotating LDAP / Kerberos service accounts utilised by Vault itself? The service accounts under Vault’s control will have regularly rotated passwords as per engine configuration, but the Vault plugin DN itself appears to be defined at configuration time and will stay that way.

Is this a challenge people have solved in production? A few ideas;

Active Directory Secrets Engine

Vault Agent triggering a template block against the AD Secret Engine Service Account, then a post hook capturing the output, and doing a vault write to update the configuration.

Vault Agent triggering a template block against the Kerberos Auth Service Account, then a post hook capturing the ourput, recreating the keytab, doing a vault write with the new password and keytab base64 blob.

Am I over thinking this - does Vault have this built in?


Is it possible to reference an external keytab file? That would certainly allow password rotation w/out having to worry about manually uploading new credentials.


You can solve this by writing an external job, which occasionally reads from ad/creds/a-role-mapped-to-the-root-account and swiftly writes back updated configuration including the new password to ad/config.

This is less than ideal, but is the best option I was able to come up with, considering the password and the rest of the configuration are all combined in one ad/config endpoint.

There is a built-in ad/rotate-root endpoint however this is, IMO, broken - since once you’ve used it, you now no longer have the ability to ever update ad/config again, because any write to that endpoint has to include the password.