Rotating AD Engine / Kerberos Auth Bind DN

Hi,

Is there an established pattern for rotating LDAP / Kerberos service accounts utilised by Vault itself? The service accounts under Vault’s control will have regularly rotated passwords as per engine configuration, but the Vault plugin DN itself appears to be defined at configuration time and will stay that way.

Is this a challenge people have solved in production? A few ideas;

Active Directory Secrets Engine

Vault Agent triggering a template block against the AD Secret Engine Service Account, then a post hook capturing the output, and doing a vault write to update the configuration.

Vault Agent triggering a template block against the Kerberos Auth Service Account, then a post hook capturing the ourput, recreating the keytab, doing a vault write with the new password and keytab base64 blob.

Am I over thinking this - does Vault have this built in?

Cheers,
Tom