Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Rotate IAM Database Passwords

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your IAM database passwords are rotated every 90 days or less in order to decrease the likelihood of accidental exposures and protect your Oracle Cloud Infrastructure (OCI) database instances against unauthorized access. An IAM database password allows an IAM user to directly authenticate with an OCI database instance, separate from the OCI console password.

Security

IAM database passwords don't have an expiration date. Rotating IAM database passwords periodically will significantly reduce the chances that a compromised password can be used without your knowledge to access autonomous database instances within your Oracle Cloud Infrastructure (OCI) account.

Audit

To determine if your IAM database passwords are rotated on a periodic basis (i.e., every 90 days or less), perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to examine, listed in the Name column.

05 Select the User management tab to list the IAM users created for your domain.

06 In the Users section, click on the name (link) of the IAM user that you want to examine.

07 Select Database Passwords tab to access the database credentials created for the selected IAM user.

08 In the Database passwords section, check the date available in the Created column to determine when each database password was created. If more than 90 days have passed since the password was created, the verified IAM database password is not rotated on a regular basis. If an IAM database password is older than 90 days, the password is outdated and needs to be re-created in order to secure the access to your OCI database instances.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run iam user list command (OSX/Linux/UNIX) to list the ID of each IAM user created for your Oracle Cloud Infrastructure (OCI) compartment: 

oci iam user list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[].["name","id"]'
	--output 'table'

04 The command output should return a table with requested IAM user identifiers: 

+---------------------------------------+------------------------------------------------------------------------------+
| Column1                               | Column2                                                                      |
+---------------------------------------+------------------------------------------------------------------------------+
| cc-project5-developer                 | ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd |
| cc-domain-secops-dev                  | ocid1.user.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234 |
| cc-iam-access-manager                 | ocid1.user.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd |
+---------------------------------------+------------------------------------------------------------------------------+

05 Run iam user list-db-credentials command (OSX/Linux/UNIX) with the ID of the IAM user that you want to examine as the identifier parameter, to list the ID and the creation date/time for each IAM database password created for the specified user: 

oci iam user list-db-credentials
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--output table
	--query 'data[].["id","time-created"]'

06 The command output should return the requested credential information: 

+------------------------------------------------------------------------------------+----------------------------------+
| Column1                                                                            | Column2                          |
+------------------------------------------------------------------------------------+----------------------------------+
| ocid1.credential.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234 | 2024-09-08T16:20:10.103000+00:00 |
| ocid1.credential.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd | 2024-11-10T16:44:11.106000+00:00 |
+------------------------------------------------------------------------------------+----------------------------------+

Check the timestamp listed in the Column2 column for each IAM database password to determine when the password was created. If more than 90 days have passed since the password was created, the verified database password is not rotated on a regular basis. If an IAM database password is older than 90 days, the credentials are outdated and needs to be regenerated in order to secure the access to your Oracle Cloud Infrastructure (OCI) databases.

Remediation / Resolution

To rotate (re-create) your outdated Identity and Access Management (IAM) database passwords, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to access, listed in the Name column.

05 Select the User management tab to list the IAM users created for your domain.

06 In the Users section, click on the name (link) of the IAM user that you want to configure.

07 Select Database Passwords tab to access the database credentials created for the selected IAM user.

08 In the Database passwords section, select Create database password, enter a new password, confirm that password, and choose Create database password to create a new IAM database password. If the selected IAM user has two database password, follow the instructions outlined in step no. 11 to remove the outdated password first.

09 Update all your applications and systems to replace the outdated password with the new one created in the previous step.

10 Test all your applications and systems to make sure that the new database password is working as expected.

11 Once you are sure that your applications and systems are no longer using the original password, return to Database passwords section, select the outdated database password, click on the Actions menu (three-dot icon), and choose Delete. In the confirmation box, choose Delete to remove the outdated credentials.

Using OCI CLI

01 Run iam user create-db-credential command (OSX/Linux/UNIX) to create a new database password for the selected IAM user. An IAM user can have up to two database passwords at a time. If the selected IAM user has two database passwords, follow the instructions outlined in step no. 5 to remove the outdated passwords first. Replace \ with your own database password: 

oci iam user create-db-credential
	--password '<secure-password>'
	--description 'Project5 Database Password'
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'

02 The command output should return the information available for the new credentials: 

{
	"data": {
		"id": "ocid1.credential.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"lifecycle-details": null,
		"lifecycle-state": "ACTIVE",
		"time-created": "2025-09-21T12:09:36.565000+00:00",
		"time-expires": null,
		"user-id": "ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	},
	"etag": "abcd1234abcd1234abcd1234abcd1abcd"
}

03 Update all your applications and systems to replace the outdated database password with the new one created in the previous steps.

04 Test all your applications and systems to make sure that the new password is working as expected.

05 Once you are sure that your applications and systems are no longer using the original token, run iam user delete-db-credential command (OSX/Linux/UNIX) to delete the outdated IAM database password: 

oci iam user delete-db-credential
	--db-credential-id 'ocid1.credential.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'

06 Type Y (Yes) and press Enter to confirm the resource removal: 

Are you sure you want to delete this resource? [y/N]: Y

References

Publication date Nov 11, 2025

Related OCI-IAM rules