# Service-Account Key Rotation

For most production cases, P0 recommends configuring service-account authentication using [workload identity federation](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63c.pdf). However, certain third-party systems (such as business intelligence tools) may require access to your production cloud, and only support access via static credentials. For these identities, P0 will manage rotation of these credentials, avoiding use of stale credentials.

### How it works

1. You set a credential rotation policy within P0. For example, you may require that credentials are rotated every 30 days, and no credentials are ever more than 40 days old.
2. P0 uses your [Access Inventory](/readme/access-inventory.md) to automatically detect credentials that have upcoming rotation due dates.
3. P0 determines account owners within your organization based on associated resources. For example, P0 might use the technical contact configured in the credential's managing cloud account.
4. P0 stages updated credentials for each account that needs rotation within a vault you connect. For example, AWS KMS, GCP GSM, or HashiCorp Vault.
5. P0 assigns tickets in your tracking system for owners to update credentials in third-party systems.
6. When each rotation ticket is closed, P0 revokes the previous credential.

<figure><img src="/files/FXbdyR31dvkLdnmSpoNd" alt="Credential rotation dashboard showing assignees with overdue and upcoming rotation tickets, with options to view details or send reminders" width="563"><figcaption></figcaption></figure>

### Related documentation

* [Access inventory](/readme/access-inventory.md) — P0 uses your inventory data to detect credentials approaching rotation deadlines
* [Tracker integrations](/integrations/tracker-integrations.md) — Connect your ticketing system for automated rotation ticket assignment
* [Resource integrations](/integrations/resource-integrations.md) — Connect the cloud environments whose credentials you want to rotate

### Getting started with service-account key rotation

Key rotation requires an enterprise P0 license. Contact [P0 sales](mailto:sales@p0.dev) to get started.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.p0.dev/readme/service-account-key-rotation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.