Cron Job / Event Scheduler for Vault Token Rotation

With reference to a previous post we wrote and solved, we are now looking to implement automatic Vault Token renewal using Vault Agent and potentially a cron job or the event scheduler built into MySQL.

In order to inject the new token generated by Vault Agent into the keyring_vault.conf file, a cron job will be needed to automatically change the file. For the token change to take place, Percona will need to uninstall and then install the keyring_vault plugin, which can be done through the event scheduler. The only problem we have right now is that while we can technically time the event scheduler to be after the cron job to avoid reinstalling the plugin before the token has changed, we would feel better if there was a more concrete way to establish a dependency between the cron job finishing and the event scheduler starting.

An immediate idea is to do the plugin reinstall from a cron job as well (granting INSERT and DELETE on the mysql.plugin system table), but it just doesn’t seem favourable providing the cron job with a mysql user and password. Does anyone have any suggestions on better ways to accomplish this?

1 Like