I’m using vault’s AWS secrets engine to generate RDS credentials with expiring leases. I then use those credentials in different apps that need access to said RDS instances. My issue is that at times, credentials expire and I have a service interruption until those credentials are updated. Is there a way in vault to associate a username with an expiring lease? My thinking is that I can get a list of soon-to-expire leases and if I can somehow associate usernames with those leases, I can then figure out which ones I need to rotate.
The expected way to use Vault leased credentials, is that the application that needs them logs in to Vault and requests them as needed, receiving the credential and information about how long it will be valid for.
You as a human shouldn’t need to be involved in the credential rotation process at all!
Appreciate the response, however that doesn’t answer the question. Not every service that requires credentials has the ability/access to talk to vault. I understand that you can use long-term or non-expiring creds in those cases, but that’s not an ideal situation for me. That being said, are you aware of any way of associating a username with a lease?
No, there’s no way to do that. The lease IDs do include which role within the AWS secret engine they were created via, which may kind of be a proxy for a username, depending on how your roles are set up - or not.