# Rotating Credentials

This guide demonstrates how to update credentials referenced in the Immuta Enterprise Helm chart (IEHC).

{% hint style="info" %}
**Kubernetes namespace**

The following section(s) presume the IEHC was deployed into namespace `immuta` and that the current namespace is `immuta`.
{% endhint %}

## Kubernetes secrets

### Edit secrets

{% hint style="info" %}
**Using an alternative editor**

Set environment variable `KUBE_EDITOR` to specify an alternative text editor.
{% endhint %}

1. Validate that secret `immuta-secret` exists in the current namespace.

   ```bash
   kubectl get secret/immuta-secret
   ```
2. Edit secret `immuta-secret` in place.

   ```bash
   kubectl edit secret/immuta-secret
   ```
3. Edit secret `immuta-legacy-secret` in place. *Skip this step if the legacy query engine is disabled (the default).*

   ```sh
   kubectl edit secret/immuta-legacy-secret
   ```
4. Restart pods.

   ```bash
   kubectl rollout restart deployment --all --selector "app.kubernetes.io/component=audit,app.kubernetes.io/component=secure"
   ```

### Legacy query engine

{% hint style="info" %}
**Considerations when using the legacy query engine**

The following section is only necessary if the [legacy query engine service has been enabled](/latest/configuration/self-managed-deployment/configure/enabling-legacy-query-engine.md).
{% endhint %}

1. Validate that secret `immuta-legacy-secret` exists in the current namespace.

   ```bash
   kubectl get secret/immuta-legacy-secret
   ```
2. Get the query engine replica count, this value will be referenced in subsequent step(s).

   ```bash
   kubectl get statefulset --all --selector "app.kubernetes.io/component=query-engine" --output template='{{ .status.replicas }}'
   ```
3. Scale the replica count down to `1`.

   ```bash
   kubectl scale statefulset --all --replicas 1 --selector "app.kubernetes.io/component=query-engine"
   ```
4. Get the query engine pod name, this value will be referenced in subsequent step(s).

   ```bash
   kubectl get pod --selector "app.kubernetes.io/component=query-engine"
   ```
5. Update the [placeholder value](/latest/configuration/self-managed-deployment/conventions.md) with a query engine superuser password.

   ```bash
   kubectl exec pod/<query-engine-pod-name> -- \
       psql -d immuta -c \
       "ALTER USER postgres WITH ENCRYPTED PASSWORD '<new-patroni-superuser-password>'"
   ```
6. Update the [placeholder value](/latest/configuration/self-managed-deployment/conventions.md) with a query engine replication password.

   ```bash
   kubectl exec pod/<query-engine-pod-name> -- \
       psql -d immuta -c \
       "ALTER USER replicator WITH ENCRYPTED PASSWORD '<new-patroni-replication-password>'"
   ```
7. Update the [placeholder value](/latest/configuration/self-managed-deployment/conventions.md) with a query engine feature password.

   ```bash
   kubectl exec pod/<query-engine-pod-name> -- \
       psql -d immuta -c \
       "ALTER USER feature_service WITH ENCRYPTED PASSWORD '<new-immuta-feature-password>'"
   ```
8. Scale the replica count back up to the previous value by updating the [placeholder value](/latest/configuration/self-managed-deployment/conventions.md).

   ```bash
   kubectl scale statefulset --all --replicas <query-engine-previous-replica-count> --selector "app.kubernetes.io/component=query-engine"
   ```

## Apply Helm values

1. Update credentials in the `immuta-values.yaml` file.
2. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`. Update the [placeholder value](/latest/configuration/self-managed-deployment/conventions.md) with your own release name.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2026.1.4
   ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/latest/configuration/self-managed-deployment/configure/rotating-credentials.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.