> ## Documentation Index
> Fetch the complete documentation index at: https://infisical-devin-1781641701-docs-github-pat-fine-grained.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# PostgreSQL Credentials Rotation

> Learn how to automatically rotate PostgreSQL credentials.

<Note>
  **Rotation Type: Dual-Phase**

  This rotation maintains two active credential sets with overlapping validity, ensuring zero-downtime during rotation cycles.
</Note>

## Prerequisites

1. Create a [PostgreSQL Connection](/integrations/app-connections/postgres) with the required **Secret Rotation** permissions

2. Create two designated database users for Infisical to rotate the credentials for. Be sure to grant each user login permissions for the desired database with the necessary privileges their use case will require.

   An example creation statement might look like:

   ```SQL theme={null}
   -- create user roles
   CREATE USER infisical_user_1 WITH ENCRYPTED PASSWORD 'temporary_password';
   CREATE USER infisical_user_2 WITH ENCRYPTED PASSWORD 'temporary_password';

   -- grant database connection permissions
   GRANT CONNECT ON DATABASE my_database TO infisical_user_1;
   GRANT CONNECT ON DATABASE my_database TO infisical_user_2;

   -- grant relevant table permissions
   GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO infisical_user_1;
   GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO infisical_user_2;
   ```

   <Tip>
     To learn more about PostgreSQL's permission system, please visit their [documentation](https://www.postgresql.org/docs/current/sql-grant.html).
   </Tip>

3. Ensure your network security policies allow incoming requests from Infisical to this rotation provider, if network restrictions apply.

## Create a PostgreSQL Credentials Rotation in Infisical

<Tabs>
  <Tab title="Infisical UI">
    1. Navigate to your Secret Manager Project's Dashboard and select **Add Secret Rotation** from the actions dropdown.
           <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/secret-rotations-v2/generic/add-secret-rotation.png" alt="Secret Manager Dashboard" />

    2. Select the **PostgreSQL Credentials** option.
           <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/secret-rotations-v2/postgres-credentials/select-postgres-credentials-option.png" alt="Select PostgreSQL Credentials" />

    3. Select the **PostgreSQL Connection** to use and configure the rotation behavior. Then click **Next**.

           <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/secret-rotations-v2/postgres-credentials/postgres-credentials-configuration.png" alt="Rotation Configuration" />

       * **PostgreSQL Connection** - the connection that will perform the rotation of the configured database user credentials.
       * **Rotation Interval** - the interval, in days, that once elapsed will trigger a rotation.
       * **Rotate At** - the local time of day when rotation should occur once the interval has elapsed.
       * **Auto-Rotation Enabled** - whether secrets should automatically be rotated once the rotation interval has elapsed. Disable this option to manually rotate secrets or pause secret rotation.

    4. Input the usernames of the database users created above that will be used for rotation. Then click **Next**.

           <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/secret-rotations-v2/postgres-credentials/postgres-credentials-parameters.png" alt="Rotation Parameters" />

       * **Database Username 1** - the username of the first user that will be used for rotation.
       * **Database Username 2** - the username of the second user that will be used for rotation.

           <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/secret-rotations-v2/postgres-credentials/postgres-credentials-advance-parameters.png" alt="Rotation Advance Parameters" />

    * **Rotation Statement** - the template string query to generate password for the rotated user.
    * **Password Requirements** - the requirements for the password of the MySQL users that will be created for the rotation.

    5. Specify the secret names that the active credentials should be mapped to. Then click **Next**.

           <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/secret-rotations-v2/postgres-credentials/postgres-credentials-secrets-mapping.png" alt="Rotation Secrets Mapping" />

       * **Username** - the name of the secret that the active username will be mapped to.
       * **Password** - the name of the secret that the active password will be mapped to.

    6. Give your rotation a name and description (optional). Then click **Next**.

           <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/secret-rotations-v2/postgres-credentials/postgres-credentials-details.png" alt="Rotation Details" />

       * **Name** - the name of the secret rotation configuration. Must be slug-friendly.
       * **Description** (optional) - a description of this rotation configuration.

    7. Review your configuration, then click **Create Secret Rotation**.
           <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/secret-rotations-v2/postgres-credentials/postgres-credentials-confirm.png" alt="Rotation Review" />

    8. Your **PostgreSQL Credentials** are now available for use via the mapped secrets.
           <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-devin-1781641701-docs-github-pat-fine-grained/images/secret-rotations-v2/postgres-credentials/postgres-credentials-created.png" alt="Rotation Created" />
  </Tab>

  <Tab title="API">
    To create a PostgreSQL Credentials Rotation, make an API request to the [Create PostgreSQL
    Credentials Rotation](/api-reference/endpoints/secret-rotations/postgres-credentials/create) API endpoint.

    ### Sample request

    ```bash Request theme={null}
    curl --request POST \
    --url https://us.infisical.com/api/v2/secret-rotations/postgres-credentials \
    --header 'Content-Type: application/json' \
    --data '{
        "name": "my-pg-rotation",
        "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "description": "my database credentials rotation",
        "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "environment": "dev",
        "secretPath": "/",
        "isAutoRotationEnabled": true,
        "rotationInterval": 30,
        "rotateAtUtc": {
            "hours": 0,
            "minutes": 0
        },
        "parameters": {
            "username1": "infisical_user_1",
            "username2": "infisical_user_2"
        },
        "secretsMapping": {
            "username": "POSTGRES_DB_USERNAME",
            "password": "POSTGRES_DB_PASSWORD"
        }
    }'
    ```

    ### Sample response

    ```bash Response theme={null}
    {
        "secretRotation": {
            "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "name": "my-pg-rotation",
            "description": "my database credentials rotation",
            "secretsMapping": {
                "username": "POSTGRES_DB_USERNAME",
                "password": "POSTGRES_DB_PASSWORD"
            },
            "isAutoRotationEnabled": true,
            "activeIndex": 0,
            "folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "createdAt": "2023-11-07T05:31:56Z",
            "updatedAt": "2023-11-07T05:31:56Z",
            "rotationInterval": 30,
            "rotationStatus": "success",
            "lastRotationAttemptedAt": "2023-11-07T05:31:56Z",
            "lastRotatedAt": "2023-11-07T05:31:56Z",
            "lastRotationJobId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "nextRotationAt": "2023-11-07T05:31:56Z",
            "connection": {
                "app": "postgres",
                "name": "my-pg-connection",
                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
            },
            "environment": {
                "slug": "dev",
                "name": "Development",
                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
            },
            "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "folder": {
                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
                "path": "/"
            },
            "rotateAtUtc": {
                "hours": 0,
                "minutes": 0
            },
            "lastRotationMessage": null,
            "type": "postgres-credentials",
            "parameters": {
                "username1": "infisical_user_1",
                "username2": "infisical_user_2"
            }
        }
    }
    ```
  </Tab>
</Tabs>
