Static Roles for RabbitMQ Secret Engine

[OOTS]

Is your feature request related to a problem? Please describe. We'd like to use static roles (like the ones in the database secret engine) in the RabbitMQ secret engine, but Vault's API doesn't support it.

Describe the solution you'd like Add API endpoints to create, read, update, delete and list static roles to the RabbitMQ secret engine, akin to the ones in the database secret engine. Creating a static role would instruct Vault to regularly update the password of one or more RabbitMQ accounts with a configurable frequency.

Describe alternatives you've considered

• use ephemeral accounts in RabbitMQ as they are already supported
• implement rotation of RabbitMQ passwords outside of Vault

Additional context References:

• RabbitMQ Secret Engine API Documentation
• database secret engine API Documentation

Thanks for your time!

[dops-at]

+1

[f4z3r]

This is also something that I am very interested in for my work. I will see that I have a working draft of this with the rotation implemented by the beginning of next week. The groundwork is already done for creating, updating, and deleting the roles, I just need to add some testing, actually implement the credential rotation and it should be good. Hopefully I can find some time until end of this week to complete this.

[f4z3r]

Note that this will not include the RMQ credentials having an independent lease from the creating token.