Graceful reset of service user credentials
As a customer who has applications integrated into my Aiven Services,
I want some period of time after I change a user credential,
so that I can go and alter this in all the relevant applications, without a service outage.
Currently when a user credential is changed, with only 1 user, the old credential is disabled immediately, before I have a chance to update my applications, causing outages or scheduled maintenance windows.
Viktor Trykolenko
shared this idea
-
Morten Lied Johansen
commented
To work around this limitation, we have built tooling that provisions new service users for applications when credentials needs to be rotated, so that we can switch the applications over to the new service user before deleting the old one.
This results in effectively 2-3 service users per application at any given time.This has resulted in us hitting the limit to the number of service users a service can have several times, and as our application portfolio continues to grow, the problem continues.
Being able to gracefully replace credentials would allow for a single service user per application.
-
Shaun Killingbeck
commented
We've needed this feature for a very long time, and had to invest a lot of engineering effort working around it (which has in turn created a lot of additional complexity and tech debt)
The Aiven platform already has this feature for certificate expiry, so extending the same/similar to resetting credentials would be ideal (though it would need to be optional, e.g. in case the credentials were being reset due to being leaked)