UPDATE STORAGE ACCESS command - credential rotation

Regular credential rotation is a security best practice. You can update the credentials in a Db2 storage access alias in two distinct ways: either by remotely invoking a stored procedure or by using the command line locally for instance level storage access aliases.

Authorization

You will need SYSADM authorization to run the SYSIBMADM.STORAGE_ACCESS_ALIAS.UPDATE stored procedure or the UPDATE STORAGE ACCESS command.

Command parameters

ALIAS alias name
The new storage alias name.
USER user name
Specifies the Cloud Object Storage access key of the remote storage account.
PASSWORD password
Specifies the Cloud Object Storage access secret key of the remote storage account.

Credential rotation procedure

For Native Cloud Object Storage support, credential rotation must follow a specific procedure. This specificity maintains the availability of access to the Cloud Object Storage service through the long lifespan connections held within the Db2 Engine.

Follow these required steps in order to perform a credential rotation:
  1. Generate new pair of credentials in your Cloud Object Storage provider.
  2. Update the credentials defined in the Db2 remote storage access alias used by the Native Cloud Object Storage storage hierarchy. You can update these credentials remotely by using a stored procedure command or by running a command locally.
  3. Disable the old pair of credentials in the Cloud Object Storage provider when not in use. Note that some Cloud Storage Providers, like AWS, provide a command to validate the active usage of a pair of credentials.
  4. Confirm that the Db2 instance continues to maintain access to the Cloud Object Storage provider.
  5. Delete the old pair of credentials in the Cloud Object Storage provider.

Use a stored procedure

Instance-level storage access aliases are managed by a user with SYSADM privileges. Update your storage access alias remotely:

CONNECT TO <DATABASE NAME>
CALL SYSIBMADM.STORAGE_ACCESS_ALIAS.UPDATE( '<alias name>', '<user name>', '<password>' )
CONNECT RESET

Use a command prompt

UPDATE STORAGE ACCESS ALIAS is a server-side command. In containerized environments, this command must be run from within the container where the Db2 server is running.
UPDATE STORAGE ACCESS ALIAS <alias name> [USER <username>] PASSWORD <password>