Comment 1 for bug 1995976

just an idea: maybe we should have an action to create temporary accounts on demand, so the exposure is time constrained, for example:

juju run-action mysql-innodb-cluster/leader create-temp-account duration=1h database=nova,cinder,neutron reason="HA routers audit script"

This would give you a user account with a random username and password that will be available for 1 hour and permissions to access nova, cinder and neutron databases.

Having a permanent read-only account makes me feel worried how could be shared across the organization since "it's just a read only account".

The downside of this approach is that we don't have a daemon running, so we may need to register a cronjob that takes care of revoking/deleting the temporary users created.