Learn how to automatically rotate PostgreSQL/CockroachDB user passwords.
The Infisical Postgres secret rotation allows you to automatically rotate your Postgres database user’s password at a predefined interval.
user-a
and user-b
.user-a
and user-b
. We’ll refer to this user as the admin
user.To learn more about Postgres permission system, please visit this documentation.
admin
user account.user-a
is updated with the new value.user-b
on the next rotation.Open Secret Rotation Page
Head over to Secret Rotation configuration page of your project by clicking on Secret Rotation
in the left side bar
Click on PostgresSQL card
Provide the inputs
Rotator admin username
Rotator admin password
Database host url
Database port number
The first username of two to rotate - user-a
The second username of two to rotate - user-b
Optional database certificate to connect with database
Configure the output secret mapping
When a secret rotation is successful, the updated values needs to be saved to an existing key(s) in your project.
The environment where the rotated credentials should be mapped to.
The secret path where the rotated credentials should be mapped to.
What interval should the credentials be rotated in days.
Select an existing secret key where the rotated database username value should be saved to.
Select an existing select key where the rotated database password value should be saved to.
Why can't we delete the other user when rotating?
When a system has multiple nodes by horizontal scaling, redeployment doesn’t happen instantly.
This means that when the secrets are rotated, and the redeployment is triggered, the existing system will still be using the old credentials until the change rolls out.
To avoid causing failure for them, the old credentials are not removed. Instead, in the next rotation, the previous user’s credentials are updated.
Why do you need root user account?
The admin account is used by Infisical to update the credentials for user-a
and user-b
.
You don’t need to grant all permission for your admin account but rather just the permissions to update both of the user’s passwords.
Learn how to automatically rotate PostgreSQL/CockroachDB user passwords.
The Infisical Postgres secret rotation allows you to automatically rotate your Postgres database user’s password at a predefined interval.
user-a
and user-b
.user-a
and user-b
. We’ll refer to this user as the admin
user.To learn more about Postgres permission system, please visit this documentation.
admin
user account.user-a
is updated with the new value.user-b
on the next rotation.Open Secret Rotation Page
Head over to Secret Rotation configuration page of your project by clicking on Secret Rotation
in the left side bar
Click on PostgresSQL card
Provide the inputs
Rotator admin username
Rotator admin password
Database host url
Database port number
The first username of two to rotate - user-a
The second username of two to rotate - user-b
Optional database certificate to connect with database
Configure the output secret mapping
When a secret rotation is successful, the updated values needs to be saved to an existing key(s) in your project.
The environment where the rotated credentials should be mapped to.
The secret path where the rotated credentials should be mapped to.
What interval should the credentials be rotated in days.
Select an existing secret key where the rotated database username value should be saved to.
Select an existing select key where the rotated database password value should be saved to.
Why can't we delete the other user when rotating?
When a system has multiple nodes by horizontal scaling, redeployment doesn’t happen instantly.
This means that when the secrets are rotated, and the redeployment is triggered, the existing system will still be using the old credentials until the change rolls out.
To avoid causing failure for them, the old credentials are not removed. Instead, in the next rotation, the previous user’s credentials are updated.
Why do you need root user account?
The admin account is used by Infisical to update the credentials for user-a
and user-b
.
You don’t need to grant all permission for your admin account but rather just the permissions to update both of the user’s passwords.