How database root password rotation works?

I’m a bit confused
I would like to understand how to use the Rotate Root Credentials for database.
I create a connection to a database with a specific user ‘vault’@‘’.
Documentations are a little bit confusing, in this documentation (Database - Secrets Engines - HTTP API | Vault by HashiCorp) I read “This will change the password of the user configured in this step” but in the other documentation (Database - Secrets Engines - HTTP API | Vault by HashiCorp) I read “This endpoint is used to rotate the “root” user credentials stored for the database connection”
When I rotate the root password, does it change the “root” account password or the “vault” account ?

Furthermore, is it possible to specify a host rather than “%” in my account declaration and work with the root password rotation ?

Thank’s in advance

The “root” account in this context refers to the account you configure in Vault to manage other database credentials. If you happen to have an account actually named “root” but are not configuring it within Vault to manage other accounts, then that account is left alone (unless you create a static role for the account called “root” in the db).

In this specific example, the root account is called “vault” and when you call the rotate-root endpoint the credentials for the account called “vault” will be rotated.

I’m not a database expert so I’m not really sure about the “%” question but I think you could. The creation statements are used to generate accounts in the database (basically Vault connects to the DB with the root (“vault”) account then issues that command). You can restrict it as much as necessary, just be careful that you don’t lock Vault out of the DB by restricting the hosts too much (it’s probably a good idea to have a break glass account just in case Vault gets locked out of the DB somehow so you can recover the connection).

I think you’re confusing static roles and dynamic roles. Static roles will auto-rotate the password: Database - Secrets Engines - HTTP API | Vault by HashiCorp

When using a dynamic secret, the password is not changed immediately for the owner of the connection. Database - Secrets Engines - HTTP API | Vault by HashiCorp

They do give you a method of rotating this secret (it’s optional but highly recommended): Database - Secrets Engines - HTTP API | Vault by HashiCorp It says “root” but what they mean is the user that owns the connection. So in your case in the example about it would be the ‘vault’ accounts’ password that is rotated.

Yes you can use as restrictive as you like in the login requirements.

For example in MySQL “%” is a wildcard (any), which means which is telling the MySQL who is allowed to login to this account. You can lock this down to the list of the Vault IPs (subnet). Just keep in mind that the request can come from “ANY” of the vault nodes, not just the leader node.

Thanks for your answers, here are more information :

  • vault version : 1.8.3
  • one vault node mode
  • questionning about database connection creation not role

I made some tests and set up 2 accounts on my database : vault@% and both with full privileges and grant option.
I create a new database connection on vault, setting the user as “vault” and enable rotation during the creation.
Unfortunately, it perform an update password on the account vault@% and not
Is there a way to specify to vault that I want it use the account than the wildcard account ?

After that if I try to rotate the password I not allowed to do (access denied) even if the account has the full privileges on all database.
I don’t really know where is the problem, maybe when Vault update the password during the creation of the database, it doesn’t keep it. Any ideas ?


Your is probably not working as you expect. At the “connection” creation, the connection is tested, authentication is actually not validated until there is a request to rotate or generate a new dynamic user.