Creating and Using Rotated Secrets


Deeper Dive

For more in-depth information, check out our detailed documentation on the following topics:

Rotated Secrets

Database Rotated Secret

SSH Rotated Secret


Need any help?

If something in this tutorial isn't working as expected, feel free to contact our support team via Slack.

Below is a text-only guide for users based on the above video

What is a Rotated Secret?

Rotated Secrets enable you to protect privileged-user account credentials, such as an Administrator account on a Windows server, a root account on a Linux server, or an Admin account on a network device, by resetting its password either manually via the CLI or Console, or automatically resetting it at defined intervals.

Akeyless does this by generating a new password, resetting it on the target machine, and storing the updated secret value so that it can be retrieved when required. The user fetching the secret only has to request it via the UI or CLI and use it to log into the application.

Best practice is to set the password to update automatically, but in this demo, we show how to get this done manually.

Creating a Rotated Secret for MySQL via the UI

Click on 'New' --> 'Rotated Secret' and you will get a popup with a list of options to choose from. Click "MySQL" and then "Next".

Choose your Rotated Secret's Name and click "Next".

On the following screen, choose your Target, Rotator Type (Target in this case), Gateway, and set Auto Rotate to "Manual Only" (for this demo). Click "Finish".

Your Rotated Secret will then be created in your account.

Rotating the Secret via the UI

Simply click on the 'Rotate Secret' button and you will get a small notification that your secret was successfully rotated.

This new password, along with your username, can be used to login to your MySQL database.

Creating a Rotated Secret for an SSH user via the CLI

An SSH Rotated Secret is used to reset a password for a Linux (or Windows) user with a click or command.

Before creating a Rotated Secret, we require a Target. So, using your knowledge from the Creating Targets guide, go ahead and create your SSH Target. You can use either the SSH Key or Password option. We are using the Password option here.


Make sure you use the Hostname of the machine along with a Username that has the ability to update its own password.


Ensure your machine can accept password logins if using the Password option.

Next, go to your terminal and use the following command to create the Rotated Secret. We are only using '--auto-rotate false' for this demonstration.

akeyless create-rotated-secret --name [name_of_secret] --gateway-url '[your_gw_url]:8000' --target-name [your-target-name] --rotator-type target --auto-rotate false

Your Rotated Secret is now created:

You can also refresh the Secrets & Keys section to see it in the console.

Rotate the Secret via the CLI

From the UI, go ahead and rotate the secret in the same way we did the previous one.

Or, from the terminal, you can run the following command to rotate your secret:

akeyless gateway-rotate-secret -n sshRS --gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>'

You will receive this output:

You can then run the following command to fetch the latest secret in the CLI:

akeyless get-rotated-secret-value -n sshRS

You will get something like the following:

You can also rotate the secret by clicking 'Rotate Secret' from the console.

You can now use that to login via SSH to the remote machine using the new secret value: