Rotating DB User Creds with Root User


We are exploring the possibility of using Vault for rotating DB Creds.

We cannot create a root user who has permission to rotate other user creds.

Is there a way , can we rotate user passwords without root user.

Thought of this solution, not sure whether it works

  1. Create Connection String for each user by using the below command and provide the user creds

vault write database/config/

  1. Create a separate StaticRole for each user

  2. Whenever password needs to be changed, call read/creds api of vault and fetch the current password

4 . Change the password using manual rotate api
5. Fetch the updated password using read/creds api
6. Finally update the config with new password

Not having permission isn’t a show stopper, you will see errors in the vault’s server log saying that it can’t rotate the password, but they can be ignored.

That said, you really can’t use the dynamic secret engine to rotate your passwords as you cannot get the new rotated password out. It’s a one way vault-owner at that point.

First - The role doesn’t need permission to rotate anyone else’s credentials, just it’s own. All other users are dynamically created, then deleted when their TTL runs out.

Second - you create a user in your database that can create other users (and rotate it’s own password). Vault then logs in as that user and rotates its password, now if you need to access you ask vault to create you a temp user. Every X time, vault rotates the password for that main vault-owned user. There is no mechanism inside of vault to get the password back out. If you want to know the password you have to set it yourself in the database.

Thanks Aram. This is very helpful