OK, I didn’t actually learn this today, but it wasn’t that long ago.

Postgres creds rotation is straightforward with the exception of the PG maintainers deciding in recent years that words don’t mean anything while designing their identity model. “Users” and “Groups” used to exist in PG, but were replaced in version 8.1 with the “Role” construct.

Here’s a map to translate PG identifies to a model that will make sense for anyone who is familiar with literally any other identity system.

<td>
  <strong>Literally anything else</strong>
</td>

<td>
  User
</td>

<td>
  Group
</td>

<td>
  Role
</td>

Now that we’ve established this nonsense, here’s a way of handling live creds rotation.

That gets you prepped. When you’re ready to flip things.

Update the creds wherever else they need updating, restart processes, confirm everything is using the new credentials, etc. Then

Easy, peasy.