On Thu, Oct 05, 2023 at 01:09:36PM -0700, Jeff Davis wrote:
> On Thu, 2023-10-05 at 14:04 -0500, Nathan Bossart wrote:
>> That way, we needn't restrict this feature to 2 passwords for
>> everyone. Perhaps 2 should be the default, but in any case, IMO we
>> shouldn't design to only support 2.
>
> Are there use cases for lots of passwords, or is it just a matter of
> not introducing an artificial limitation?
I guess it's more of the latter. Perhaps one potential use case would be
short-lived credentials that are created on demand. Such a password might
only be valid for something like 15 minutes, and many users might have the
ability to request a password for the database role. I don't know whether
there is a ton of demand for such a use case, and it might already be
solvable by just creating separate roles. In any case, if there's general
agreement that we only want to target the rotation use case, that's fine by
me.
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com