Rotate a service-account password

Service accounts (such as the fax broker’s bind accounts) need their passwords rotated, and the new secret has to reach the consuming application without being written anywhere it shouldn’t. The rotate-svc target does both: it sets a fresh password on the AD account and writes it straight into a consumer .env.

Rotate and deliver

make rotate-svc U=svc-fax-ro ENVFILE=~/bingham/faxart/.env KEY=AD_BIND_PASSWORD

That generates a new compliant password, sets it on svc-fax-ro in AD (marking the account non-expiring), and writes AD_BIND_PASSWORD=<new> into the named .env, replacing any existing line for that key.

Parameter	Meaning
U	The service account to rotate (required)
ENVFILE	Path to the consumer’s .env to update
KEY	The variable name to set in that .env
P	Optional explicit password; omit to auto-generate a compliant one

Why out-of-band

The secret never appears in the lab’s own repository, in chat, or in a commit. It goes from samba-tool straight into the consumer’s .env, which is gitignored on both sides. If you must hand a password to a human, deliver it through a secret channel, not the agent thread.

Treat the rotation as committed

Once the account password is changed in AD, the old one stops working immediately. Make sure the consumer reads the updated .env (restart it if it caches the secret at startup) before the next bind.

Related

The fax broker’s write delegation is a separate, tightly scoped account. See Provision a fax DID write delegation.