Password Rotation with HashiCorp Vault

This repository is a streamlined systemd setup for automating password rotation with Hashicorp Vault.


  • Running Hashicorp Vault server instance. (Inbound TCP port 8200 to Vault)
  • Seth Vargo's plugin configured and installed: vault-secrets-gen plugin
  • Version 2 K/V secrets backend mounted at systemcreds:
vault secrets enable -version=2 -path=systemcreds/ kv

Vault Server Configuration

1. Configure Policies:

 vault policy write policy-service-linux-rotate polcies/policy-service-linux-rotate.hcl
 vault policy write policy-systemcreds-linux policies/policy-systemcreds-linux.hcl

2. Generate a token:

vault token create -period 960h -policy policy-service-linux-rotate -display-name service-linux-rotate

Linux Host Configuration (System for which you need to rotate the password)

1. Install package

dnf install painless-password-rotation

2. Update Environment File

Update Vault Address and Token in /etc/sysconfig/vault-rotate


3. Run password rotation service

systemctl start rotate-password.service

4. Log onto the Vault UI and verify that the password was saved successfully

5. Start/Enable password rotation timer

systemctl enable rotate-password.timer
systemctl start rotate-password.timer