2 days ago
Hello Railway team,
I would like to know the official safe procedure to rotate credentials for an existing Railway PostgreSQL database.
In the PostgreSQL service variables, I can see variables such as PGPASSWORD, POSTGRES_PASSWORD, DATABASE_URL, and DATABASE_PUBLIC_URL.
When opening the menu on POSTGRES_PASSWORD, I see options such as Edit, Seal, Promote, Generator, and Delete.
Questions:
- What is the official recommended way to rotate PostgreSQL credentials for an existing Railway database?
- Does using Generator on POSTGRES_PASSWORD only change the Railway variable, or does it also update the actual PostgreSQL database password?
- After credential rotation, are DATABASE_URL and DATABASE_PUBLIC_URL automatically regenerated?
- Do connected services need to be redeployed after credential rotation?
- What is the safest way to avoid breaking services that reference the database?
I am not including any DATABASE_URL, DATABASE_PUBLIC_URL, password, token, project name, or secret value.
3 Replies
2 days ago
The official way to rotate PostgreSQL credentials is through the Credentials tab in your database service's Database view. It safely regenerates the password and keeps the environment variables (including DATABASE_URL and DATABASE_PUBLIC_URL) synchronized, avoiding manual edits that can cause authentication mismatches. After rotating, you will need to manually redeploy any service that depends on the updated password variable or derived database URL.
Status changed to Awaiting User Response Railway • 2 days ago
Railway
The official way to rotate PostgreSQL credentials is through the **Credentials tab** in your database service's Database view. It safely regenerates the password and keeps the environment variables (including `DATABASE_URL` and `DATABASE_PUBLIC_URL`) synchronized, avoiding manual edits that can cause authentication mismatches. After rotating, you will need to manually redeploy any service that depends on the updated password variable or derived database URL.
3 hours ago
Thank you. Before rotating credentials, can you confirm the safest backup/export step Railway recommends for an existing production PostgreSQL database?
Specifically:
- Should I create or verify a backup before rotating credentials?
- Is there any PITR or snapshot requirement before using the Credentials tab?
- After rotating credentials, should all connected services be redeployed manually even if Railway synchronizes DATABASE_URL and DATABASE_PUBLIC_URL?
I want to avoid any production downtime or data loss.
Status changed to Awaiting Railway Response Railway • about 3 hours ago
3 hours ago
Credential rotation via the Credentials tab does not touch your data, so it is not strictly required to back up beforehand, but it is always good practice for a production database. You can take a manual backup from the Backups tab on your database service, or enable PITR for continuous WAL archiving with a ~4-week restore window. There is no PITR or snapshot prerequisite for using the Credentials tab. Yes, connected services still need a manual redeploy after rotation, even though the variable values are updated automatically, because running containers hold the old values in memory until they restart.
Status changed to Awaiting User Response Railway • about 3 hours ago