Database Secret Rotation Without Downtime

Static database credentials get reused, leaked, forgotten. Rotation is the discipline; the four-step pattern makes it operationally feasible.

Why rotation is rare

Most teams know rotation matters and still skip it. The reason is not laziness; every rotation requires coordinated app and DB changes.

• Hardcoded creds. Apps connect with credentials baked into config; rotating breaks the connection until config updates.
• Coordination cost. Each rotation is an app config push plus a DB credential update; a failed step disconnects the service.
• Discipline fades. Without automation, rotation slips by a quarter, then a year, then 'never'; the credential ages indefinitely.
• Audit pressure. Compliance auditors find non-rotated credentials immediately; the finding shows up every cycle.

Four-step pattern

• 1. Create new credential.
• 2. App reads new credential (config update; rolling restart).
• 3. Verify new credential is being used.
• 4. Disable old credential.

Automation

Manual rotation is brittle. Two automation paths solve the discipline problem and one of them eliminates static credentials entirely.

• Vault dynamic secrets. Vault generates short-lived credentials on demand; the app pulls a fresh one each time.
• Workload identity. No static credentials at all; the app authenticates via cloud workload identity (IAM, Workload Identity Federation).
• Database support. AWS RDS, Cloud SQL, and Azure SQL all support IAM-based auth in 2026; check your engine version.
• Migration path. Add dynamic secrets while static creds still work; flip to dynamic once verified; remove static last.

Compliance driver

Compliance is the most common reason rotation finally lands. SOC 2, PCI, ISO 27001 all expect a documented rotation cadence.

• SOC 2. Rotation cadence required, typically 90 days for production credentials.
• PCI DSS. 90-day rotation for credentials with access to cardholder data.
• Evidence trail. Auditors expect a log of rotation events; without automation the log is fabricated quarterly.
• Modern out. Dynamic secrets eliminate the rotation question entirely; the credential lifetime is shorter than the audit window.

Antipatterns

• Static creds for years. Drift; leakage risk.
• Manual rotation under pressure. Downtime.
• Rotation without verification. Step 4 disconnects active connections.

What to do this week

Three moves. (1) Apply this pattern to your most-loaded table. (2) Measure query latency / write throughput before/after. (3) Document the win and the constraint so the next refactor inherits the knowledge.