PostgreSQL/CockroachDB
Learn how to automatically rotate PostgreSQL/CockroachDB user passwords.
The Infisical Postgres secret rotation allows you to automatically rotate your Postgres database user’s password at a predefined interval.
Prerequisite
- Create two users with the required permission in your PostgreSQL instance. We’ll refer to them as
user-a
anduser-b
. - Create another PostgreSQL user with just the permission to update the passwords of
user-a
anduser-b
. We’ll refer to this user as theadmin
user.
To learn more about Postgres permission system, please visit this documentation.
How it works
- Infisical connects to your database using the provided
admin
user account. - A random value is generated and the password for
user-a
is updated with the new value. - The new password is then tested by logging into the database
- If test is success, it’s saved to the output secret mappings so that rest of the system gets the newly rotated value(s).
- The process is then repeated for
user-b
on the next rotation. - The cycle repeats until secret rotation is deleted/stopped.
Rotation Configuration
Open Secret Rotation Page
Head over to Secret Rotation configuration page of your project by clicking on Secret Rotation
in the left side bar
Click on PostgresSQL card
Provide the inputs
Rotator admin username
Rotator admin password
Database host url
Database port number
The first username of two to rotate - user-a
The second username of two to rotate - user-b
Optional database certificate to connect with database
Configure the output secret mapping
When a secret rotation is successful, the updated values needs to be saved to an existing key(s) in your project.
The environment where the rotated credentials should be mapped to.
The secret path where the rotated credentials should be mapped to.
What interval should the credentials be rotated in days.
Select an existing secret key where the rotated database username value should be saved to.
Select an existing select key where the rotated database password value should be saved to.