Add docs for scheduled root rotation feature for the AWS and DB engines (#29755)

website/content/api-docs/auth/aws.mdx

@@ -91,6 +91,8 @@ capabilities, the credentials are fetched automatically.
   an IAM based login call. In any case, a default list of headers AWS STS
   expects for a GetCallerIdentity are allowed.
 
+@include 'rotationfields.mdx'
+
 ### Sample payload
 
 ```json

website/content/api-docs/secret/aws.mdx

@@ -103,6 +103,8 @@ valid AWS credentials with proper permissions.
   {{ end }}
   ```
 
+@include 'rotationfields.mdx'
+
 ### Sample payload
 
 ```json

website/content/api-docs/secret/databases/index.mdx

@@ -61,6 +61,8 @@ list of additional parameters.
   overridden at the role-level by the static role's [skip_import_rotation](#skip_import_rotation)
   field. The default is false.
 
+@include 'rotationfields.mdx'
+
 ~> We highly recommended that you use a Vault-specific user rather than the admin user
 in your database when configuring the plugin. This user will be used to
 create/update/delete users within the database so it will need to have the appropriate

website/content/docs/auth/aws.mdx

@@ -351,6 +351,49 @@ are needed.
   [Rotate Root Credentials](/vault/api-docs/auth/aws#rotate-root-credentials)
   API call.
 
+### Schedule-based root credential rotation
+
+@include 'alerts/enterprise-only.mdx'
+
+Use the [`rotation_schedule`](/vault/api-docs/auth/aws#rotation_schedule) field
+to configure schedule-based, automatic credential rotation for root credentials in
+the AWS auth engine. For example, the following command set the rotation to
+occur every Saturday at midnight (00:00):
+
+```shell-session
+$ vault write auth/aws/config/client \
+  ...
+  rotation_schedule="0 * * * SAT"
+  ...
+```
+
+Scheduled root credential rotation can also set a
+[rotation_window](/vault/api-docs/auth/aws#rotation_window) during which the
+scheduled rotation is allowed to occur. Vault will stop trying to rotate the
+credential once the window expires. For example, the following command tells
+Vault to rotate the credential on Saturday at midnight, but only within the span
+of an hour. If Vault cannot rotate the credential by 1:00, due to a failure
+or otherwise, Vault will stop trying to rotate the credential until the next
+scheduled rotation.
+
+```shell-session
+$ vault write auth/aws/config/client \
+  ...
+  rotation_window="1h" \
+  rotation_schedule="0 * * * SAT"
+...
+```
+
+You can temporarily disable root rotation by setting
+[`disable_automated_rotation`](/vault/api-docs/auth/aws#disable_automated_rotation)
+to `true`. Setting the `disable_automated_rotation` field prevent any rotation
+of the root credential until the field is reset to `false`. If you use
+`rotation_period`, setting `disable_automated_rotation` also resets the credential
+TTL.
+
+For more details on rotating root credentials in the AWS Auth engine, refer to the
+[Rotate Root credentials](/vault/api-docs/auth/aws#rotate-root-credentials) API docs.
+
 ## Plugin Workload Identity Federation (WIF)
 
 <EnterpriseAlert product="vault" />

website/content/docs/secrets/aws.mdx

@@ -290,6 +290,49 @@ the proper permission, it can generate credentials.
 
     </Note>
 
+### Schedule-based root credential rotation
+
+@include 'alerts/enterprise-only.mdx'
+
+Use the [`rotation_schedule`](/vault/api-docs/secret/aws#rotation_schedule) field
+to configure schedule-based, automatic credential rotation for root credentials in
+the AWS secrets engine. For example, the following command set the rotation to
+occur every Saturday at midnight (00:00):
+
+```shell-session
+$ vault write aws/config/root \
+  ...
+  rotation_schedule="0 * * * SAT"
+  ...
+```
+
+Scheduled root credential rotation can also set a
+[rotation_window](/vault/api-docs/secret/aws#rotation_window) during which the
+scheduled rotation is allowed to occur. Vault will stop trying to rotate the
+credential once the window expires. For example, the following command tells
+Vault to rotate the credential on Saturday at midnight, but only within the span
+of an hour. If Vault cannot rotate the credential by 1:00, due to a failure
+or otherwise, Vault will stop trying to rotate the credential until the next
+scheduled rotation.
+
+```shell-session
+$ vault write aws/config/root \
+  ...
+  rotation_window="1h" \
+  rotation_schedule="0 * * * SAT"
+...
+```
+
+You can temporarily disable root rotation by setting
+[`disable_automated_rotation`](/vault/api-docs/secret/aws#disable_automated_rotation)
+to `true`. Setting the `disable_automated_rotation` field prevent any rotation
+of the root credential until the field is reset to `false`. If you use
+`rotation_period`, setting `disable_automated_rotation` also resets the credential
+TTL.
+
+For more details on rotating root credentials in the AWS Secrets engine, refer to the
+[Root credential rotation](/vault/api-docs/secret/aws#rotate-root-iam-credentials) API docs.
+
 ## IAM permissions policy for Vault
 
 The `aws/config/root` credentials need permission to manage dynamic IAM users.

website/content/docs/secrets/databases/index.mdx

@@ -61,6 +61,51 @@ API endpoint.
 
 </Warning>
 
+### Schedule-based root credential rotation
+
+@include 'alerts/enterprise-only.mdx'
+
+Use the [`rotation_schedule`](/vault/api-docs/secret/databases#rotation_schedule) field
+to configure schedule-based, automatic credential rotation for root credentials in
+the DB Secrets engine. For example, the following command set the rotation to
+occur every Saturday at midnight (00:00):
+
+```shell-session
+$ vault write database/config/my-mssql-database \
+  ...
+  rotation_schedule="0 * * * SAT"
+  ...
+```
+
+Scheduled root credential rotation can also set a
+[rotation_window](/vault/api-docs/secret/databases#rotation_window) during which the
+scheduled rotation is allowed to occur. Vault will stop trying to rotate the
+credential once the window expires. For example, the following command tells
+Vault to rotate the credential on Saturday at midnight, but only within the span
+of an hour. If Vault cannot rotate the credential by 1:00, due to a failure
+or otherwise, Vault will stop trying to rotate the credential until the next
+scheduled rotation.
+
+```shell-session
+$ vault write database/config/my-mssql-database \
+  ...
+  rotation_window="1h" \
+  rotation_schedule="0 * * * SAT"
+...
+```
+
+You can temporarily disable root rotation by setting
+[`disable_automated_rotation`](/vault/api-docs/secret/databases#disable_automated_rotation)
+to `true`. Setting the `disable_automated_rotation` field prevent any rotation
+of the root credential until the field is reset to `false`. If you use
+`rotation_period`, setting `disable_automated_rotation` also resets the credential
+TTL.
+
+For more details on rotating root credentials in the DB Secrets engine, refer to the
+[Rotate Root credentials](/vault/api-docs/secret/databases#rotate-root-credentials) API docs.
+
+
+
 ## Setup
 
 Most secrets engines must be configured in advance before they can perform their

website/content/partials/rotationfields.mdx

@@ -1,7 +1,7 @@
-- `rotation_period` `(integer: 0)` – <EnterpriseAlert product="vault" inline />
+- `rotation_period` `(string/integer: 0)` – <EnterpriseAlert product="vault" inline />
   The amount of time, in seconds,
   Vault should wait before rotating the root credential. A zero value tells Vault
-  not to rotate the token. The minimum rotation period is 5 seconds. **You must
+  not to rotate the root credential. The minimum rotation period is 10 seconds. **You must
   set one of `rotation_period` or `rotation_schedule`, but cannot set both**.
 - `rotation_schedule` `(string: "")` – <EnterpriseAlert product="vault" inline />
   The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
@@ -10,7 +10,7 @@
   month, month, and day of week respectively. For example, `0 0 * * SAT` tells
   Vault to rotate the root token every Saturday at 00:00. **You must set one of
   `rotation_schedule` or `rotation_period`, but cannot set both**.
-- `rotation_window` `(integer: 0)` – <EnterpriseAlert product="vault" inline />
+- `rotation_window` `(string/integer: 0)` – <EnterpriseAlert product="vault" inline />
   The maximum amount of time, in seconds, allowed to complete
   a rotation when a scheduled token rotation occurs. If Vault cannot rotate the
   token within the window (for example, due to a failure), Vault must wait to