Skip to content

Sam Gabrail – Platform Engineer

Automate Secrets Rotation with Akeyless

This video is part of a blog post talking about the importance of automated credential rotation.

I go into the details in the blog post, but just know that it’s a bad idea to have long lived static secrets because they give an extended exposure time and an increased attack surface.

That’s why in this video, I’ll show you how you can use Akeyless to create rotated secrets in addition to dynamic secrets. So let’s get started.

Dynamic secrets are secrets that are generated every time they’re accessed using permissions that you’ve defined in advance.

In this way, users can access a resource for a temporary period with a defined set of permissions.

What we see on the screen here is a client, and this client needs to access a resource. It could be, AWS, Azure, GCP. It could be a database that you define the actual privileges that this user will get with the associated credentials that they’re gonna get. So this customer will access their Akeyless gateway using, whatever authentication method that they have. And then from here, the gateway is going to create the necessary credentials on the target machine. Again, it could be AWS, Azure, a database, and then it will respond back giving the user temporary credentials with a time to live. And after the TTL expires, then Akeyless is gonna go out and delete those credentials.

So once again, these are short lived, and you don’t have to worry about rotating them in a sense because they’ll expire once the TTL expires.

Rotated secrets, on the other hand, enable you to protect the credentials for privileged user accounts, such as administrator accounts on a Windows server or a root account on a Linux server or an admin account on a network device by resetting its password. The Akeyless platform generates a new password, resets it on the target machine and stores the updated secret so that it can be retrieved when required.

So you can see on the screen here, we have a user that wants to access a database or AWS resource or Azure, for example. They can authenticate against the keyless, get the actual rotated secret itself, and then access that resource.

And then the keyless gateway is going to rotate the secret on a regular basis if you configure it to do so, or it can be on a manual basis. Someone can go in and just click a button and rotate that secret. This way, once again, we don’t have long lived secrets. They are rotated on a regular basis.

Alright. Let’s see now how to use dynamic secrets from the UI.

I already have a few that were set for us here for AWS.

I can see, Azure Azure portal or Azure programmatic.

I have, GCP as well. So it’s pretty simple. Once you have this already created and configured, all you need to do is go under that dynamic secret, and you can click get dynamic secret.

And this will give you your access key ID and secret access key in AWS’s example. You can see how long you’ve got time. This is the TTL of about an of an hour for those credentials to expire. And at the end of the hour, these credentials disappear from AWS. So you’re not able to access AWS anymore, which is great.

Just to quickly show you the configuration. So you choose a target.

Very important to create targets here in Akeyless. In this case, the target as is at this location.

The permissions here, you can see the I’m user used, any user policies you can put in here, user groups. In this case, we’re using user programmatic access. That’s how we saw the access ID and access secret. The TTL is sixty minutes as you can see here, and the gateway that we’re working with as well as the protection key that we’re using in this case.

So it’s pretty straightforward. Again, you can click on new here, click dynamic secret, choose from the different available options. You can see databases. You can see, AWS Azure GCP for cloud, Kubernetes, remote desktop, infrastructure, and even Venify for certificate automation.

In our case, we did AWS. If you click on AWS, click next, give it a name, and you choose an existing target for your AWS. I have a couple here. And, again, your I’m user that you can use here, programmatic access, the TTL, the gateway, and the protection key that you need. And that’s pretty much it. You click finish or you click next. You can add more options for enabling secure remote access if you wish, but that’s pretty much it in terms of setting up dynamic secrets for our AWS example.

Now, when it comes to rotated secrets, it’s very similar to what we saw with dynamic secrets. I have a few rotated secrets in here. Here’s an Azure rotated secret that we can work with.

So once again, you can take a look at the actual rotated secret here. All the details, the client ID, the client secret, the tenant subscription ID, and so on. And notice we can just click the rotate secret.

And that successfully rotated our secret. And now we have another secret here in Azure.

And as you can see, we’ve enabled automatic rotation for every ninety days automatically, the system will rotate these secrets.

You can take a look at the configuration here. Our target, once again, you always need a target. So in this case, clouds Azure is our target. The rotator type is target.

And you can see authentication of the following credentials, user credentials, our gateway, our protection key, and this is recurrent. You can specify whether you want it manual or recurrent. In this case, it’s recurrent every ninety days, and rotation hour is, eight o’clock local time.

Here, you can see the different versions of these rotated secrets. Right? So you can see our current version right here, and you can see your previous versions as well. And once again, to create this, you click you click new and then you go to rotated secret.

And there is a few here similar to what we saw with dynamic secrets. You can see database, rotated secrets, cloud. Here we have operating systems, which we didn’t have with dynamic secrets. So SSH, Windows, and we’ve got Docker Hub, LDAP, web. So the list is a little bit smaller than dynamic secrets, but nevertheless, you have quite a few to work with here. So if we go and let’s say focus on Azure, like our example, and give it a name and then a location, description, a tag, and then click next. And here you specify your target, a rotator type, target, for example.

And then from here, we can take a look and specify our gateway and choose our protection key. In this case, we’re choosing a protection key for zero knowledge encryption with our customer fragment, which makes sure that we are, safe and not even Akeyless can decrypt or see our secrets that we’re generating here. And then, of course, our rotation and our interval here is ninety days. You can change that. We can say only manual rotation or recurrent rotation, and that’s pretty much it.

Okay. So now I am in my terminal and I want to create a dynamic secret. I’m already authenticated and all I need to do is run Akeyless dash h and look for dynamic.

And you can see here command dynamic dash secrets, so we can go ahead and continue dynamic secret dash h for more help. I can create, delete, get, or get value or list. Why don’t we go ahead and list all our dynamic secrets and maybe pipe it to j q just to give it some nice color.

So here are all my dynamic secrets. I’m interested in AWS. So that’s the name of the dynamic secret I need.

So let’s clear here. And once again, run the help commands, And I need to get the value, so I need to be able to create a dynamic secret. So let’s do that by running Akeyless dynamic secret, get value.

And then once again, ask for the help menu, and I need to specify the name of that secret. So I can specify the name here with dash n cloud AWS and hit enter.

And there we go. We get our dynamic secret. You can see here the password, the secret access key here. We’ve got our TTL is a hundred and eighty minutes, and, we can use these AWS credentials to access AWS.

Now let’s see how to work with rotated secrets in the CLI.

Once again, Akeyless dash h for help, and let’s grab on rotated so I can see rotated secrets. So let’s clear.

Okay. So Akeyless rotated secret dash h for more help.

Alright. So we can actually list all the rotated secrets, use j q’s, get some nice colors.

You’ll see GCP rotated and so on. So all the different rotated secrets that are available here.

I’m interested in this one, clouds, Azure, rotated.

So let’s go ahead and clear out of here and then run our dash h one more time. We can see we can get the value here. So let’s get value and more help. We need the name, which we got previously. We can paste it here.

Hit enter, and there we have it. We get our username and password, which is basically equivalent to the client ID and the client secret in Azure, which you can also see inside of the UI very easily as well.

In this video, we’ve seen how easy it is to create dynamic and rotated secrets to generate short lived credentials using Akeyless.

So no more excuses for creating long lived credentials.

Go out there and start mandating the use of short lived credentials in your organization.

Thanks for watching, and I’ll see you in the next video.

  • EncryptionKeyManagement_HighPerformer_Enterprise_HighPerformer
  • PrivilegedAccessManagement(PAM)_BestSupport_Enterprise_QualityOfSupport
  • PrivilegedAccessManagement(PAM)_EasiestAdmin_Enterprise_EaseOfAdmin
  • PrivilegedAccessManagement(PAM)_UsersMostLikelyToRecommend_Enterprise_Nps

© 2025 AKEYLESS. All rights reserved