How to request pull-secret rotation

Solution Verified - Updated 13 Oct 2025

Environment

Red Hat Openshift Container Platform (RHOCP)
- 4
This content is not included.Red Hat Hybrid Cloud console
This content is not included.Red Hat OpenShift Cluster Manager console (OCM)
Everywhere is pull-secret used

Issue

The current pull-secret is not working.
User needs a new pull-secret due security reasons.

Resolution

Important notes:

If you received a Red Hat communication about updating your pull-secret, skip to step 6.

The pull-secret is not updated immediately! The requests are queued and processed in batch four times each day. Active clusters owned by requester should delay pull-secret rotation.

Each user can request only own pull-secret rotation.

After the pull secret is rotated, the pull secret configured in OCP clusters will need to be updated: How to change the global pull secret in OCP 4.

Procedure

Obtain ocm cli tool and login token from This content is not included.OpenShift Cluster Manager API Token
Login with command from web page:
```
$ ocm login --token="eyJhbGci..."
```
Get the user's ID:
```
$ ocm whoami
```
The key "id" from result is correct one. The id looks like 1gsHGmeuLvMVzpgJsct5oRBz8Gp.

Request pull-secret rotation:

$ echo '{}' | ocm post /api/accounts_mgmt/v1/accounts/{id}/pull_secret_rotation

(replace the {id} with value of the key "id" from oc whoami output)
Valid response will looks like:

{
  "account_id": "1gs...8Gp",
  "created_at": "2023-01-05T12:19:41.614369Z",
  "href": "/api/accounts_mgmt/v1/accounts/1gs...8Gp/pull_secret_rotation/2Ju...5FB",
  "id": "2Ju...5FB",
  "kind": "PullSecretRotation",
  "status": "pending",
  "updated_at": "2023-01-05T12:19:41.614369Z"
}

Verify status of request:

$ ocm get /api/accounts_mgmt/v1/accounts/{id}/pull_secret_rotation

The answer with pending request looks:

{
  "items": [
    {
      "account_id": "1gs...8Gp",
      "created_at": "2023-01-05T12:19:41.614369Z",
      "href": "/api/accounts_mgmt/v1/accounts/1gs...8Gp/pull_secret_rotation/2Ju...5FB",
      "id": "2Ju...5FB",
      "kind": "PullSecretRotation",
      "status": "pending",
      "updated_at": "2023-01-05T12:19:41.614369Z"
    }
  ],
  "kind": "PullSecretRotationList",
  "page": 1,
  "size": 1,
  "total": 1
}

After some time, the new pull-secret will be available on This content is not included.Pull Secret.
To obtain new pull-secret via CLI, follow instructions in article How to download the pull secret from cloud.redhat.com/openshift/install/pull-secret using a REST API call?.

Check, if a new pull-secret is valid and working properly:

$ podman pull --authfile <new-pull-secret-path> registry.redhat.io/ubi8/ubi:latest

SBR

Cloud Management

Product(s)

Components

secret

Category

Learn more

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.