Documentation
Start typing to search…

Graceful Rotation

Suggest Edit

For cloud providers AWS, Azure, and GCP, rotated secrets can be configured with Graceful Rotation mode.

Graceful Rotation keeps the previous credentials valid for a configurable grace period. After the grace period ends, the old credentials are removed from the cloud provider.

Graceful Rotation Modes

⚠️

Warning: Switching between Graceful Rotation modes is destructive and resets the rotation state. When you change the mode, Akeyless removes any existing rotated key versions created by the previous mode (including overlapping copies, if present) and re-initializes the secret. Rotation then restarts with a single fresh credential/key version, and subsequent versions are created according to the newly selected mode.

Use the following configuration rules when enabling Graceful Rotation:

  • grace-rotation-timing supports before and after modes (after is the default).
  • grace-rotation-interval must be lower than rotation-interval.
  • In before mode, rotation-interval must be higher than 2 × grace-rotation-interval with at least one day.

Before Rotation

Creates the new credentials X days before the scheduled rotation date. The old credentials remain valid until the rotation date, and are removed on that date. This mode shifts the overlap before the rotation date. The new credentials are created ahead of time, and the old credentials are removed on the scheduled rotation date. As a result, at the rotation interval boundary (for example, day 90), only one active credential version remains (the new one).

Example configuration:

  • Rotation interval: 90 days
  • Graceful Rotation: 10 days
  • Timeline:
    • Day 80: New credentials are created.
    • Days 80–90: Both old and new credentials are valid in the cloud provider.
    • Day 90: Old credentials are removed, and only the new credentials remain.
Image

After Rotation

Creates the new credentials on the scheduled rotation date. The old credentials remain valid for X more days and are rotated after the grace period ends. This mode results in overlap after the rotation date. At the rotation interval boundary (for example, day 90), two active credential versions exist: the newly created credentials and the previous credentials that remain valid throughout the grace period.

Example configuration:

  • Rotation interval: 90 days
  • Graceful Rotation: 10 days
  • Timeline:
    • Day 90: New credentials are created.
    • Days 90–100: Both old and new credentials are valid in the cloud provider.
    • Day 100: Old credentials are rotated, and only the new credentials remain.
Image

Updated 9 days ago

Footer Section