When we deploy Fleet Manager using custom ARM template in Azure, we generally pass on SSH public key to it to give administrator access to OS level, which is required in case of troubleshooting. Interestingly, we can push SSH public key to nodes through instance template. Nodes will have the SSH key if they follow a particular instance template. But adding a new SSH key to the instance template requires reprovisioning of those nodes in order to have the key added in authorized_keys file of each node.
However, my point is to avoid reprovisioning of nodes just to get SSH key added in authorised_keys file.
Why it is needed:
Sometimes, our troubleshooting is not limited to application level, and we may need to dig a bit deeper at OS level. To have that access, we can add an SSH public key to instance template and get access to the nodes without reprovisioning. Just like Puppet and Ansible do.
More specifically, there can be an option to create new account with new SSH key, which will ensure audit later on if needed.