The Author believes Passwords should be Easy as Cake
Most people understand the value of treating servers like cattle, not pets. It's great advice and leads to better scalability and availability.
For security, it pays to treat passwords like cattle as well. Secure the process of creating a new password with MFA but make the actual passwords throw away and use secure management to manage. Assume a password may get leaked and have a process in place to recreate it.
I work with the Snowflake data warehouse and I use this process.
Create a target in a makefile to create the APP user based on parameters. I use OpenSSL to generate the sequence because it's available on all the systems I use.
create-app-user:
$(eval randomPassword := $(shell openssl rand -base64 20))
echo $(randomPassword)
snowsql -f snowflake/access/createAppUser.sql -D database=${SNOWFLAKE_APP_DATABASE} -D user=${SNOWFLAKE_APP_USER} \
-D randomPassword=$(randomPassword) -D defaultRole=${SNOWFLAKE_APP_ROLE} \
-D warehouse=${SNOWFLAKE_APP_WAREHOUSE}!set variable_substitution=true;
create or replace user &{user}
identified by '&{randomPassword}' default_role = &{defaultRole} DEFAULT_NAMESPACE=&{database};
alter user &{user} set default_warehouse = &{warehouse};
alter user &{user} set DEFAULT_NAMESPACE = &{database};
alter user &{user} set DEFAULT_ROLE = &{defaultRole};
grant role &{defaultRole} to user &{user};
grant all privileges on database &{database} to role &{defaultRole};That's it. Now users are throw away and recreate. The full access of the user is documented by the script. and rotating the usage often is easy as eating a piece of cake.