Creating and Using Rotated Secrets


Deeper Dive

For more in-depth information, check out our detailed documentation on the following topics:

Rotated Secrets

Database Rotated Secret

SSH Rotated Secret


Need any help?

If something in this tutorial isn't working as expected, feel free to contact our support team via Slack.

Below is a text-only guide for users based on the above video

What is a Rotated Secret?

Rotated Secrets enable you to protect privileged-user account credentials, such as an Administrator account on a Windows server, a root account on a Linux server, or an Admin account on a network device, by resetting its password either manually via the CLI or Console, or automatically resetting it at defined intervals.

Akeyless does this by generating a new password, resetting it on the target machine, and storing the updated secret value so that it can be retrieved when required. The user fetching the secret only has to request it via the UI or CLI and use it to log into the application.

Best practice is to set the password to update automatically, but in this demo, we show how to get this done manually.

Creating a Rotated Secret for MySQL via the UI

Click on 'New' --> 'Rotated Secret' and you will get a popup to enter the details. The minimum requirements are:

  • Rotated Secret Name
  • Choose Target from list
  • Rotator Type (Target in this case)
  • Choose Gateway
  • Auto Rotate set to Manual for this demo (Recurrent optional)

Then click the 'Finish' button and your secret will be created.

Rotating the Secret via the UI

Simply click on the 'Rotate Secret Now' button and you will get a small notification that your secret was successfully rotated.

Scroll down a little and you will see the Previous Versions of the secret, including the current one.

This new password, along with your username, can be used to login to your MySQL database.

Creating a Rotated Secret for an SSH user via the CLI

An SSH Rotated Secret is used to reset a password for a Linux (or Windows) user with a click or command.

Before creating a Rotated Secret, we require a Target. So, using your knowledge from the Creating Targets guide, go ahead and create your SSH Target. You can use either the SSH Key or Password option. We are using the Password option here.


Make sure you use the Hostname of the machine along with a Username that has the ability to update its own password.


Ensure your machine can accept password logins if using the Password option.

Next, go to your terminal and use the following command to create the Rotated Secret. We are only using '--auto-rotate false' for this demonstration.

akeyless create-rotated-secret --name [name_of_secret] --gateway-url '[your_gw_url]:8000' --target-name sshTarget --rotator-type target --auto-rotate false

Your Rotated Secret is now created:

You can also refresh the Secrets & Keys section to see it in the console.

Rotate the Secret via the CLI

From the terminal, run the following command to rotate your secret:

akeyless gateway-rotate-secret -n sshRS --gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>'

You will receive this output:

Next, run the following command to fetch the latest secret using the following command:

akeyless get-rotated-secret-value -n sshRS

You will get the following:

You can now use that to login via SSH to the remote machine: