Credential Rotation - Infisical

Automated Credential Rotation enhances your security posture by automatically changing the passwords of your accounts at set intervals. This minimizes the risk of compromised credentials by ensuring that even if a password is leaked, it remains valid only for a short period.

How it Works

When rotation is enabled, Infisical's Gateway connects to the target resource using a privileged "Rotation Account". It then executes the necessary commands to change the password for the target user account to a new, cryptographically secure random value.

Configuration

Setting up automated rotation requires a two-step configuration: first at the Resource level, and then at the individual Account level.

<Steps> <Step title="Configure Rotation Account on Resource"> A **Rotation Account** is a master or privileged account that has the necessary permissions to change the passwords of other users on the target system.

When creating or editing a [Resource](/documentation/platform/pam/getting-started/resources), you must provide the credentials for this privileged account.

*Example: For a PostgreSQL database, this would typically be the `postgres` superuser or another role with `ALTER ROLE` privileges.*

![Credential Rotation Account](/images/pam/getting-started/resources/credential-rotation-account.png)

</Step> <Step title="Enable Rotation on Account"> Once the resource has a rotation account configured, you can enable rotation for individual [Accounts](/documentation/platform/pam/getting-started/accounts) that belong to that resource.

In the account settings:
1. Toggle **Enable Rotation**.
2. Set the **Rotation Interval** (e.g., every 7 days, 30 days).

![Rotate Credentials Account](/images/pam/getting-started/resources/rotate-credentials-account.png)

</Step> </Steps>

Supported Resources

Automated rotation is currently supported for the following resource types:

PostgreSQL: Requires a user with ALTER ROLE permissions.

<Note> We are constantly adding support for more resource types. </Note>