Credential health monitoring
Daily probes flip credentials ok → warn / critical / expired. Full
playbook:
credential-health-monitoring.runbook.md.
Architecture (short)
Section titled “Architecture (short)”Daily cron (cache-credential-health.yml) → POST /admin-api/credential-health/refresh → per-provider probe (AWS STS / GCP JWT / Azure SP / CF token / GitHub) → upsert cloud_credential_health rowsCLI-first recipes
Section titled “CLI-first recipes”# Current health snapshotnayaone-admin api adminGetCredentialHealth
# Manifest of credentials under probenayaone-admin api adminGetCredentialHealthManifest
# Recent driftsnayaone-admin api adminListCredentialHealthRecentDrifts
# On-demand refresh (same path the daily cron uses)nayaone-admin api adminRefreshCredentialHealth --body '{}'
# Or dispatch the workflow wrappernayaone-admin api adminCacheCredentialHealth --body '{}'REST fallback: GET /admin-api/credential-health ·
POST /admin-api/credential-health/refresh ·
POST /admin-api/workflows/cache-credential-health.
Area listing: CLI reference → credential-health.
When to escalate
Section titled “When to escalate”- A credential stays
criticalafter refresh → rotate the secret in the credential registry, then re-runadminRefreshCredentialHealth. - Fleet-wide AWS/GCP/Azure probe failures → check the shared cloud-account identity before re-rolling boxes.