Scenario:
If I change the database password in Vault, all the the requests to the database will fail due to authentication errors.
I can bring all the containers down and when they restart they will have the new password, but that is not what I want to do. There are a few hacky ways of getting around this problem but they involve not using the Service Collection and I want to use it.
Question:
Does EF Core support password rotation, or is there a way to achieve this while still using the Service Collection?
You should be able to add the DbContext
into DI and pass a delegate which creates the instance essentially taking control of the static nature of the connection string and work out the correct one at runtime.
services.AddScoped<YourDbContext>(svc =>
{
var connString = ... logic to get the conn string with the right password from HashiCorp vault;
var dbContextOptions = new DbContextOptionsBuilder<YourDbContext>();
dbContextOptions.UseSqlServer(connString); //Or w/e ef provider for db you use
return new YourDbContext(dbContextOptions.Options);
});
The simplest solution is to get the username and password from the vault. Then treat it like a key rotation, switching the config to a different username/password, and waiting for the app to stop using the old credentials before changing the password.
Another approach is to re-fetch the credentials before retrying after a failure.