Static role credentials rotation without breaking the running clients

I have referenced a couple of documents on credentials rotation, such as I failed to find any of them mentioning how to avid breaking the running client services. So I looking for help here.

From the documentations and also I did a trial, Vault rotates the password for the static role exactly following the rotation period. So, I have a puzzle: suppose I have quite many microservices running and each of them gets the secrets (managed by the Vault with static role) and then holds the connection to the DBs. Indeed, each service should periodically reload the secret based on the TTL value returned from the Vault. However, there is no “buffer” time or not overlap between the old and new password timelines. So, this really makes me puzzled: How to make the running service not breaking during the password rotation since at a point password is changed without any buffer?

Hi, I also had this question.

Does anyone have an approach to reliably rotate a static role credential without breaking running clients that may open new connections with the stale creds? I assume this must be solved for folks to use static roles in prod?

Thank you!