Automated Rotation of Datasource Passwords

This document will explain how to rotate datasource passwords using the sdm admin datasources update command. For more information on using this command, you can also check out Automated Import of Datasources. You can also use this command to update any other aspects of your datasources.

Getting the JSON Template for your Datasource

StrongDM supports dozens of dataSOURCES, and each has its own import/update format. To get the current JSON state of the datasource you want to modify, run sdm admin datasources list -j -e > update.json command to get a JSON document that you can modify. This command will put information for all datasources into update.json.

Example Update JSON

The password field is not included in the JSON export, but you can add it as seen below. Though each datasource type has a bunch of different fields, however, all you’ll need is name and password for the purposes of password update. You can remove any fields you’re not using.

Note: The name field must be unique for each datasource.

[
  {
    "type": "postgres",
    "name": "postgres datasource",
    "password": "newPassword",
  },
  {
    "type": "mysql",
    "name": "mysql datasource",
    "password": "newPassword",
  }
]

Running the Update

Once you have your modified JSON ready to go, you can update the password(s) (and any other fields you’ve modified) by running sdm admin datasources update --file update.json.