Usually rotating a credential means that you invalidate the previous one. Never heard of rotating credentials that would only create new ones and keep the old ones active.

▲

simlevesque 8 hours ago | parent [-]

But then every rotation would break production, wouldn't it ?

	▲	cortesoft 7 hours ago \| parent \| next [-]
		rotations are usually two phased. Add new secret/credential to endpoint, and both new and old are active and valid. Release new secret/credential to clients of that endpoint, and wait until you dont see any requests using the old credential. Then you remove the old credential from the endpoint.
	▲	kstrauser 8 hours ago \| parent \| prev [-]
		Ideally, you can have a couple of working versions at any given time. For instance, an AWS IAM role can have 0 to 2 access keys configured at once. To rotate them, you deactivate all but one key, create a new key, and make that new key the new production value. Once everything's using that key, you can deactivate the old one.