Skip to main content
Credential Rotation automatically changes the password of a PAM account on a fixed schedule. Rotating regularly limits how long a leaked or shared password stays valid, so a credential that is exposed is only useful for a short window.

Concepts

Rotation is configured in two places that work together:
  • Account template: defines whether accounts rotate, how often, and the format of the generated password. Every account created from the template inherits these settings.
  • Account: defines which privileged account performs the rotation (the rotation account).
An account rotates only once both parts are in place: its template has rotation enabled and the account has a rotation account set.

Rotation account

The rotation account is the account whose credentials are used to connect to the target and change the password. You have three options:
  • This account (self-rotation): the account rotates its own password. Use this when the account already has permission to change its own credentials.
  • A different account (delegated): a more privileged account on the same resource performs the rotation. Use this when the target account cannot change its own password, or when you prefer a single administrative account to manage rotation.
  • None: no rotation account is set. The account will not rotate until one is chosen, even if its template has rotation enabled.
A delegated rotation account must connect to the same host and port as the account being rotated, because the password change runs over the rotation account’s own connection. In practice, both accounts point at the same database server, though they can be different users on it (for example, a privileged administrator rotating a less privileged account).

How it Works

When a rotation runs, Infisical:
  1. Generates a new password that satisfies the template’s password format.
  2. Connects to the target resource using the rotation account and applies the new password.
  3. Verifies the new password by opening a fresh connection with it.
  4. Promotes the new password to the live credential once verification succeeds. If any step fails, the existing credential is left untouched and the account’s rotation status records the error.

Configuring a Template

Template-level rotation settings are managed by a Product Admin. Go to Privileged Access Management → Account Templates and open the template used by the accounts you want to rotate. In the Credential settings section:
1

Enable rotation

Turn on Automatically rotate credentials and set the frequency: every 1 hour, 12 hours, 24 hours, 7 days, or 30 days. This frequency applies to all accounts created from the template.Leave rotation off to make the template on-demand only. Accounts still rotate when triggered manually, but never on a schedule.
2

Set the password format

Choose the length and the character classes (uppercase, lowercase, digits, symbols) for generated passwords. Pick a format that satisfies the target system’s password policy.The allowed symbols cannot include ', ", `, \, ;, or ?, because those characters would break the password-change statement run against the target.
Changing a template’s rotation settings updates the rotation schedule for every account created from it. Accounts that do not yet have a rotation account remain unscheduled until one is set.

Configuring an Account

Setting an account’s rotation account and running manual rotations require an Admin role on the account’s folder or on the account itself. Open an account that belongs to a rotation-enabled template and go to the Rotation tab. The tab shows the frequency and password format inherited from the template. To finish setup, choose a rotation account from the list of eligible accounts on the same resource. To have the account rotate its own password, select the account itself from that list (shown as this account). Leaving the rotation account as None means rotation stays unconfigured and the account will not rotate. To rotate immediately without waiting for the next scheduled run, click Rotate now. This counts as a rotation, so the schedule resets and the next automatic rotation happens one full interval later.
If an account shows that it will not rotate until it is configured, set a rotation account (or configure the account’s own credentials for self-rotation) to make it ready.

Supported Resources

Each resource type applies the password change differently and has its own requirements for the rotation account. See the resource-specific page for the exact statement, the privileges the rotation account needs, and any special cases.

PostgreSQL

Rotates a role’s password with ALTER USER.

MySQL

Rotates a user’s password with ALTER USER, including PlanetScale.

Microsoft SQL Server

Rotates a SQL Server login’s password with ALTER LOGIN.