---
title: Rotated secrets
url: /docs/esc/integrations/rotated-secrets/
---
Pulumi ESC Rotators are ESC functions that enable you to rotate various credentials both automatically and manually for a number of supported services. Rotated credentials are stored in your ESC Environments, allowing you to easily and securely use them from anywhere. Some of the rotators require you to deploy [Rotation Connectors](/docs/esc/environments/rotation/#rotation-connectors) in order to rotate credentials inside private networks.

To learn how to set up and use each rotator, follow the links below. All rotators use [login providers](/docs/esc/integrations/dynamic-login-credentials/) for authorization, with the most secure way being OpenID Connect (OIDC) login providers. Learn more about how to configure them in [OpenID Connect](/docs/esc/environments/configuring-oidc) Pulumi Cloud documentation.

| Rotator                                                                  | Required connector                     | Description                                                                                                             |
|--------------------------------------------------------------------------|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------|
| [aws-iam](/docs/esc/integrations/rotated-secrets/aws-iam/)               | None                                   | The `aws-iam` rotator enables you to rotate access credentials for an AWS IAM User.                                     |
| [azure-app-secret](/docs/esc/integrations/rotated-secrets/azure-app-secret/) | None                              | The `azure-app-secret` rotator enables you to rotate client secrets for an Azure app registration.                      |
| [mysql](/docs/esc/integrations/rotated-secrets/mysql/)                   | `aws-lambda`(in private networks only) | The `mysql` rotator enables you to rotate user credentials for a MySQL database in your Environment.                    |
| [password](/docs/esc/integrations/rotated-secrets/password/)             | None                                   | The `password` rotator enables you to rotate any user defined key by providing password generation rules.               |
| [passphrase](/docs/esc/integrations/rotated-secrets/passphrase/)         | None                                   | The `passphrase` rotator enables you to rotate any user defined key by providing memorable passphrase generation rules. |
| [postgres](/docs/esc/integrations/rotated-secrets/postgres/)             | `aws-lambda`(in private networks only) | The `postgres` rotator enables you to rotate user credentials for a PostgreSQL database in your Environment.            |
| [snowflake-user](/docs/esc/integrations/rotated-secrets/snowflake-user/) | None                                   | The `snowflake-user` rotator enables you to rotate RSA keypairs for a Snowflake database user in your Environment.      |
| [external](/docs/esc/integrations/rotated-secrets/external/)             | None                                   | The `external` rotator enables you to rotate credentials with a custom service adapter.                                 |