Documentation
Solutions Guide

Credential Rotation

Automatic credential rotation for all your infrastructure. Eliminate static credentials and reduce breach impact with zero-downtime rotation.

Estimated time: 20 minutes

What Can Be Rotated

Database passwords
API keys
SSH keys
TLS certificates
Cloud IAM credentials
Service accounts
Kubernetes secrets
LDAP/AD passwords

Configuration Steps

1

Configure Rotation Policy

Define rotation schedules for different credential types.

tacctl create -f - <<EOF
kind: rotation_policy
metadata:
  name: database-credentials
spec:
  target:
    type: database
    labels:
      env: production

  schedule:
    interval: 24h
    window:
      start: "02:00"
      end: "04:00"

  rotation:
    pre_rotation_hook: /scripts/prepare-rotation.sh
    post_rotation_hook: /scripts/verify-rotation.sh
EOF
2

Register Credential Sources

Configure databases and services for rotation.

tacctl create -f - <<EOF
kind: rotatable_credential
metadata:
  name: prod-postgres
spec:
  type: database_password
  database:
    name: prod-postgres
    admin_user: rotation-admin

  rotation:
    method: dual-password
    verification:
      query: "SELECT 1"
      timeout: 10s
EOF
3

Configure Emergency Rotation

Set up instant rotation for compromised credentials.

tacctl create -f - <<EOF
kind: emergency_rotation
metadata:
  name: incident-response
spec:
  triggers:
    - type: manual
      authorized_roles: [security-team]
    - type: alert
      source: siem
      severity: critical

  actions:
    - rotate_all_credentials: true
    - revoke_sessions: true
    - notify:
        - channel: "#security-incidents"
        - pagerduty: true
EOF
4

Monitor Rotation Status

Track rotation health and history.

# View rotation status
tac rotation status

# View rotation history
tac rotation history --credential=prod-postgres

# Trigger manual rotation
tac rotation trigger prod-postgres --reason="scheduled maintenance"

# Verify credential health
tac rotation verify prod-postgres

Credential Rotation Enabled

With credential rotation configured, you have:

  • Automatic scheduled rotation with zero downtime
  • Emergency rotation for incident response
  • Complete audit trail of all rotations
  • Reduced breach impact from credential theft

Related Guides

Secrets Management

Centralized secrets vault

Certificate Management

Certificate lifecycle

Zero Trust Security

Eliminate static credentials