Skip to content

Credential health monitoring

Daily probes flip credentials okwarn / critical / expired. Full playbook: credential-health-monitoring.runbook.md.

Daily cron (cache-credential-health.yml)
→ POST /admin-api/credential-health/refresh
→ per-provider probe (AWS STS / GCP JWT / Azure SP / CF token / GitHub)
→ upsert cloud_credential_health rows
Terminal window
# Current health snapshot
nayaone-admin api adminGetCredentialHealth
# Manifest of credentials under probe
nayaone-admin api adminGetCredentialHealthManifest
# Recent drifts
nayaone-admin api adminListCredentialHealthRecentDrifts
# On-demand refresh (same path the daily cron uses)
nayaone-admin api adminRefreshCredentialHealth --body '{}'
# Or dispatch the workflow wrapper
nayaone-admin api adminCacheCredentialHealth --body '{}'

REST fallback: GET /admin-api/credential-health · POST /admin-api/credential-health/refresh · POST /admin-api/workflows/cache-credential-health.

Area listing: CLI reference → credential-health.

  • A credential stays critical after refresh → rotate the secret in the credential registry, then re-run adminRefreshCredentialHealth.
  • Fleet-wide AWS/GCP/Azure probe failures → check the shared cloud-account identity before re-rolling boxes.