Skip to main content
Automated Credential Rotation enhances your security posture by automatically changing the passwords of your accounts at set intervals. This minimizes the risk of compromised credentials by ensuring that even if a password is leaked, it remains valid only for a short period.

How it Works

When rotation is enabled, Infisical’s Gateway connects to the target resource using a privileged “Rotation Account”. It then executes the necessary commands to change the password for the target user account to a new, cryptographically secure random value.

Configuration

Setting up automated rotation requires a two-step configuration: first at the Resource level, and then at the individual Account level.
1

Configure Rotation Account on Resource

A Rotation Account is a master or privileged account that has the necessary permissions to change the passwords of other users on the target system.When creating or editing a Resource, you must provide the credentials for this privileged account.Example: For a PostgreSQL database, this would typically be the postgres superuser or another role with ALTER ROLE privileges.Credential Rotation Account
2

Enable Rotation on Account

Once the resource has a rotation account configured, you can enable rotation for individual Accounts that belong to that resource.In the account settings:
  1. Toggle Enable Rotation.
  2. Set the Rotation Interval (e.g., every 7 days, 30 days). Rotate Credentials Account

Supported Resources

Automated rotation is currently supported for the following resource types:
  • PostgreSQL: Requires a user with ALTER ROLE permissions.
We are constantly adding support for more resource types.