RabbitMQ with rotating credentials


(Bill Staff) #1

My company is considering using HashiCorp Vault to handle RabbitMQ credentials. This would mean that the Rabbit logins would expire and be renewed. Is there a good way to handle this? I do not see a way to change the connection string in an endpoint. I could just create a new endpoint each time these credentials change.

Has anyone done something like this?

(Brandon Ording) #2

If you need to update your connection strings, you’ll need to restart any endpoints using the old connection string.

(Bill Staff) #3

What if I generated a new IMessageSession per scope. Are there any know adverse behaviors besides a performance hit?

(Brandon Ording) #4

If I understand what you’re saying, you’d need to call Endpoint.Start to create new endpoint every time you want to send a message. That is definitely not something we recommend. In fact, you’d have to create a new EndpointConfiguration instance each time as well since they can’t be reused.

You’d also need to manage shutting down all of those endpoints correctly as well, or they’d all still be active, with their own connections to the broker running.

That also assumes these endpoints would only be used for sending messages and aren’t also receiving them. If you’re also receiving messages, then this definitely would not make sense since endpoints need to be long-running to process messages in a queue.

Overall, I don’t think it makes sense to do what you’re suggesting. It’s a much better idea to allow the new credentials to be picked up naturally during a process restart.