Log DB Rotations (#31402)

builtin/logical/database/path_rotate_credentials.go

@@ -77,7 +77,13 @@ func pathRotateRootCredentials(b *databaseBackend) []*framework.Path {
 func (b *databaseBackend) pathRotateRootCredentialsUpdate() framework.OperationFunc {
 	return func(ctx context.Context, req *logical.Request, data *framework.FieldData) (resp *logical.Response, err error) {
 		name := data.Get("name").(string)
-		return b.rotateRootCredentials(ctx, req, name)
+		resp, err = b.rotateRootCredentials(ctx, req, name)
+		if err != nil {
+			b.Logger().Error("failed to rotate root credential on user request", "path", req.Path, "error", err.Error())
+		} else {
+			b.Logger().Info("succesfully rotated root credential on user request", "path", req.Path)
+		}
+		return resp, err
 	}
 }
 
@@ -236,7 +242,7 @@ func (b *databaseBackend) pathRotateRoleCredentialsUpdate() framework.OperationF
 		// this item back on the queue. The err should still be returned at the end
 		// of this method.
 		if err != nil {
-			b.logger.Warn("unable to rotate credentials in rotate-role", "error", err)
+			b.logger.Error("unable to rotate credentials in rotate-role on user request", "path", req.Path, "error", err.Error())
 			// Update the priority to re-try this rotation and re-add the item to
 			// the queue
 			item.Priority = time.Now().Add(10 * time.Second).Unix()
@@ -247,6 +253,8 @@ func (b *databaseBackend) pathRotateRoleCredentialsUpdate() framework.OperationF
 			}
 		} else {
 			item.Priority = role.StaticAccount.NextRotationTimeFromInput(resp.RotationTime).Unix()
+			ttl := role.StaticAccount.CredentialTTL().Seconds()
+			b.Logger().Info("rotated credential in rotate-role on user request", "path", req.Path, "TTL", ttl)
 			// Clear any stored WAL ID as we must have successfully deleted our WAL to get here.
 			item.Value = ""
 			modified = true

builtin/logical/database/rotation.go

@@ -268,13 +268,14 @@ func (b *databaseBackend) rotateCredential(ctx context.Context, s logical.Storag
 
 	// send an event indicating if the rotation was a success or failure
 	rotated := false
-	defer func() {
+	defer func(s *staticAccount) {
 		if rotated {
+			b.Logger().Info("succesfully rotated static role", "name", roleName, "ttl", s.CredentialTTL().Seconds())
 			b.dbEvent(ctx, "rotate", "", roleName, true)
 		} else {
 			b.dbEvent(ctx, "rotate-fail", "", roleName, false)
 		}
-	}()
+	}(role.StaticAccount) // argument is evaluated now, but since it's a pointer should refer correctly to updated values
 
 	// If there is a WAL entry related to this Role, the corresponding WAL ID
 	// should be stored in the Item's Value field.
@@ -284,7 +285,7 @@ func (b *databaseBackend) rotateCredential(ctx context.Context, s logical.Storag
 
 	resp, err := b.setStaticAccount(ctx, s, input)
 	if err != nil {
-		logger.Error("unable to rotate credentials in periodic function", "error", err)
+		logger.Error("unable to rotate credentials in periodic function", "name", roleName, "error", err.Error())
 
 		// Increment the priority enough so that the next call to this method
 		// likely will not attempt to rotate it, as a back-off of sorts

changelog/31402.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/database: log password rotation success (info) and failure (error). Some relevant log lines have been updated to include "path" fields.
+```