ALTER CONNECTION rotates the key pairs associated with an
SSH tunnel connection.
|name||The identifier of the connection you want to alter.|
ROTATE KEYS command can be used to change the key pairs associated with
an SSH tunnel connection without causing downtime.
Each SSH tunnel connection is associated with two key pairs. The public keys
for the key pairs are announced in the
system table in the
Upon executing the
ROTATE KEYS command, Materialize deletes the first key
pair, promotes the second key pair to the first key pair, and generates a new
second key pair. The connection’s row in
mz_ssh_tunnel_connections is updated
public_key_1 column will contain the public key that was
formely in the
public_key_2 column, and the
public_key_2 column will contain
a new public key.
ROTATE KEYS, you should update your SSH bastion server with
the new public keys:
- Remove the public key that was formely in the
- Add the new public key from the
Throughout the entire process, the SSH bastion server is configured to permit authentication from at least one of the keys that Materialize will authenticate with, so Materialize’s ability to connect is never interrupted.
You must take care to update the SSH bastion server with the new keys after
every execution of the
ROTATE KEYS command. If you rotate keys twice in
succession without adding the new keys to the bastion server, Materialize will
be unable to authenticate with the bastion server.