Problem
Gatekeeper fetches all credentials once at startup (loadCredentials in New()). For env and static sources this is fine, but aws-secretsmanager credentials won't pick up rotations until the process restarts. This is a silent footgun for long-running deployments.
Proposed solution
Add an optional refresh_interval to CredentialConfig (or globally in config). When set, the gatekeeper periodically re-fetches the credential and updates the proxy via SetCredentialWithGrant.
The daemon already has a refresh mechanism for CLI-managed credentials (internal/daemon/refresh.go) — the gatekeeper equivalent would be simpler since there are no per-run contexts.
Workarounds
Restart the gatekeeper process to pick up rotated values. This is documented in a code comment but not in user-facing docs.
Problem
Gatekeeper fetches all credentials once at startup (
loadCredentialsinNew()). Forenvandstaticsources this is fine, butaws-secretsmanagercredentials won't pick up rotations until the process restarts. This is a silent footgun for long-running deployments.Proposed solution
Add an optional
refresh_intervaltoCredentialConfig(or globally in config). When set, the gatekeeper periodically re-fetches the credential and updates the proxy viaSetCredentialWithGrant.The daemon already has a refresh mechanism for CLI-managed credentials (
internal/daemon/refresh.go) — the gatekeeper equivalent would be simpler since there are no per-run contexts.Workarounds
Restart the gatekeeper process to pick up rotated values. This is documented in a code comment but not in user-facing docs.