Database Secret Rotation Without Downtime
Static database credentials get reused, leaked, forgotten. Rotation is the discipline; the four-step pattern makes it operationally feasible.
Why rotation is rare
Apps connect with hardcoded creds; rotating means coordinated app + DB change.
Without automation, the discipline fades.
Four-step pattern
- 1. Create new credential.
- 2. App reads new credential (config update; rolling restart).
- 3. Verify new credential is being used.
- 4. Disable old credential.
Automation
Vault dynamic secrets: rotate continuously; app pulls new credential.
Workload identity: no static creds at all; auth via cloud identity.
Compliance driver
SOC 2: rotation cadence required (typically 90 days).
Modern: dynamic secrets eliminate the question.
Antipatterns
- Static creds for years. Drift; leakage risk.
- Manual rotation under pressure. Downtime.
- Rotation without verification. Step 4 disconnects active connections.
What to do this week
Three moves. (1) Apply this pattern to your most-loaded table. (2) Measure query latency / write throughput before/after. (3) Document the win and the constraint so the next refactor inherits the knowledge.