Rotate a credential
Credentials stored in VaultPAM can be rotated manually or automatically. After rotation, existing in-flight sessions continue on the old credential until they end; new sessions receive the new one.
Manual rotation
- Open Vault → Accounts (or open the Safe and click its credential name).
- Click Rotate now.
- Pick a rotation method:
- New random password — VaultPAM generates one and updates the target (requires a rotation plugin configured for the target type).
- Upload new value — you paste the new password/key; VaultPAM encrypts and stores it. The target must be updated out-of-band.
- Click Confirm. An audit event is emitted.
Automatic rotation
- In Vault → Accounts, open the account and switch to Rotation policy.
- Set the cadence (e.g., every 30 days) and the rotation method.
- VaultPAM will rotate on schedule. Alerts fire if a rotation fails.
JIT rotation (no stored password)
For targets that support it (Linux SSH, Postgres, MySQL, etc.), enable Just-in-Time credentials: VaultPAM asks OpenBao to mint a short-lived password at session launch and revokes it on session end. No long-lived password exists.