Whether due to a credential leak or the adoption of security best practices, you may need to rotate the credentials for some or all of your database roles and users. This document covers how to rotate your credentials and answers some common questions.
To rotate the credentials via the Web UI, first navigate to the Team page. Next, select the cluster whose credentials need rotating. Click on the arrow next to the Settings tab in the lefthand sidebar and click on Roles to view a list of all the roles for this cluster.
Click on "rotate password" next to any role to rotate its credentials.
After installing the Crunchy Bridge CLI, you can run the following command to rotate your credentials. Note: You will need to substitute the placeholders below with values that apply to your needs:
cb role update --rotate-password true --cluster $CLUSTER --name $ROLE
Will the rotation take place immediately?
- Credential rotation will happen immediately. Connection attempts that use the old password will be rejected and only the new password will be allowed.
How will existing connections be impacted?
- Live connections that were established prior to the credential rotation will not be dropped. Therefore, if you are concerned about unauthorized access, you should also drop all connections after rotating the credentials.
Is there any way to have two passwords that work at the same time?
- There is no way for a single role/user to support multiple passwords.
How will it impact PgBouncer?
- PgBouncer connections will behave similarly to Postgres direct connections. Previously established connections will remain and all new connections must use the updated password.
Are there any instances during which we might change or rotate the postgres user's credentials automatically?
- Crunchy Bridge may rotate passwords for those roles which are managed by our platform with little or no warning in order to protect customer data.