Windows Rotated Secret
You can create a Rotated Secret for a Windows password. Before you get started, ensure creating a Windows Target that includes the hostname and connection settings, as well as credentials for a privileged user authorized to rotate credentials.
When a client requests a Rotated Secret value, the Akeyless Vault Platform connects to the Windows server through your Gateway to rotate the user password on your target server.
Create a Rotated Windows Secret from the CLI
To create a Rotated Windows Secret using the Akeyless CLI, run the following command
Where:
-
name
: A unique name of the Rotated Secret. The name can include the path to the virtual folder where you want to create the new Rotated Secret, using slash/
separators. If the folder does not exist, it will be created together with the Rotated Secret. -
gateway-url
: Akeyless Gateway URL. -
target-name
: The name of the Windows Target with which the Rotated Secret should be associated. -
authentication-credentials
: Determines how to connect to the target server.use-user-creds
- Use the credentials defined on the Rotated Secret item.use-target-creds
- Use the credentials defined on the Windows Target item.
Tip
Select
use-target-creds
if the Rotated Secret user is not authorized to change their own password, and a privileged user, like the Windows Target user is required to change the password on behalf of the Rotated Secret user.
-
rotator-type
: The type of credentials to be rotated. For Windows Target , choose:password
- to rotate the Windows user password specified in the Rotated Secret.target
- to rotate the password for the user specified in the Windows Target
-
rotated-username
: The Windows user whose password should be rotated. -
rotated-password
: The password to rotate. -
auto-rotate
: Enable auto-rotation if you need to update the password regularly. If this value is set to true, specify therotation-interval
in days, and optionally also therotation-hour
.
You can find the complete list of parameters for this command in the CLI Reference - Rotated Secrets section.
Create a Rotated Windows Secret in the Akeyless Console
Tip
To start working with Rotated Secrets from the Akeyless Console, you need to configure the Gateway URL thus enabling communication between the Akeyless SaaS and the Akeyless Gateway.
To create Rotated Secrets directly from the Akeyless Gateway, you can use the Gateway Configuration Manager.
-
Log in to the Akeyless Console, and go to Secrets & Keys > New > Rotated Secret.
-
Define a Name of the Rotated Secret, and specify the Location as a path to the virtual folder where you want to create the new Rotated Secret, using slash
/
separators. If the folder does not exist, it will be created together with the Rotated Secret. -
Define the remaining settings as follows:
-
Delete Protection: When enabled, protects the Rotated Secret from accidental deletion.
-
Target: The name of the Windows Target with which the Rotated Secret should be associated.
-
Authenticate with the following credentials: Determines how to connect to the target server:
- User credentials: Use the credentials defined inside the Rotated Secret item.
- Target credentials: Use the credentials defined on the Windows Target item.
Tip
Select Target credentials if the Rotated Secret user is not authorized to change their own password, and a privileged user, like the Windows Target user is required to change the password on behalf of the Rotated Secret user.
-
Rotator type: Determines the rotator type:
- Password: Rotates the password defined inside the Rotated Secret item.
- Target: Rotate the password for the user specified in the Windows Target
-
Username: Defines the Windows username which password should be rotated.
-
Password: Defines the password to rotate.
-
Gateway: Select the Gateway through which the secret will be rotated.
-
Protection Key: To enable Zero-Knowledge, select a key with a Customer Fragment. For more information about Zero-Knowledge, see Implement Zero Knowledge.
-
Auto rotate: Determines if automatic rotation is enabled.
-
Rotation interval (in days): Defines the number of days (1-365) to wait between automatic password rotations when Auto Rotate is enabled.
-
Rotation hour (local time zone): Defines the time when the password should be rotated if Auto Rotate is enabled.
- Click Finish.
Updated about 1 month ago