Support for automated secret rotation for cas-backend #2569
Description
Background:
Currently, when adding an Azure Blob CAS backend using the CLI, Chainloop writes the service principal credentials directly to Vault and stores the Vault secret location in the database. This method does not support automated secret rotation, as the secret is managed by Chainloop and not by a Vault secrets engine with a rotation policy.
Problem:
There is no straightforward way to safely and automatically rotate the Azure service principal secret for the CAS backend.
Request:
Please add support for ephemeral credentials to be automatically generated and rotated for the CAS backend. Would be great to have similar configuration options as with OIDC and Database credentials config that allow for Vault managed auto rotation.