This would give you a user account with a random username and password that will be available for 1 hour and permissions to access nova, cinder and neutron databases.
Having a permanent read-only account makes me feel worried how could be shared across the organization since "it's just a read only account".
The downside of this approach is that we don't have a daemon running, so we may need to register a cronjob that takes care of revoking/deleting the temporary users created.
just an idea: maybe we should have an action to create temporary accounts on demand, so the exposure is time constrained, for example:
juju run-action mysql-innodb- cluster/ leader create-temp-account duration=1h database= nova,cinder, neutron reason="HA routers audit script"
This would give you a user account with a random username and password that will be available for 1 hour and permissions to access nova, cinder and neutron databases.
Having a permanent read-only account makes me feel worried how could be shared across the organization since "it's just a read only account".
The downside of this approach is that we don't have a daemon running, so we may need to register a cronjob that takes care of revoking/deleting the temporary users created.