A way to configure a timeout in Database Engine Roles #21558
Labels
Comments
|
Is anyone working on this ticket? I would love to look into this. |
This was referenced Oct 11, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
We have a particular database for which dynamic credentials revocation consistently fails, due to timeout. It's not a network issue, it really just takes a while. I'm able to login to the database from the same network as Vault and run the same queries configured as revocation statement and they work fine, albeit slowly.
Describe the solution you'd like
A way to configure a timeout in Database Engine Roles, so that Vault does not give up before things have enough time to succeed.
Describe alternatives you've considered
I haven't been able to come up other alternatives that don't require deep architectural changes for product development teams that use our platform. I would rather if we could at least alleviate the issue on our end without being too intrusive. A timeout seems simple enough.
Explain any additional use-cases
The failure to revoke leads to leases living on forever, and Vault continues to periodically attempt to revoke them, causing a higher resource consumption and sometimes leading to saturation if we don't manually remove the leases (and roles from the Database).
Additional context
This is an AWS RDS, which notably require custom-made revocation statements because the root user isn't really root/superuser. Its privileges are capped and we don't have access to the actual superuser, only AWS does.
The text was updated successfully, but these errors were encountered: