> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maia.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Refresh Maia runner credentials

export const Runners = () => <>the <strong>Runners & Instances</strong> icon <span style={{
  whiteSpace: "nowrap"
}}><img src="/images/global-nav/runners-instances.png" width="20" height="20" style={{
  verticalAlign: "text-bottom",
  display: "inline",
  margin: "0 1px"
}} /></span></>;

export const m_runner = "Maia runner";

export const maia = "Maia";

export const RunnerMetadata = ({runnerType, platforms = []}) => {
  return <div style={{
    background: 'var(--colors-background-light, #f9fafb)',
    border: '1px solid var(--colors-border-default, #e5e7eb)',
    borderRadius: '12px',
    padding: '20px 28px',
    marginBottom: '28px'
  }}>
      <table style={{
    width: '100%',
    borderCollapse: 'collapse'
  }}>
        <tbody>
          <tr>
            <td style={{
    fontWeight: '600',
    paddingRight: '32px',
    paddingBottom: '14px',
    whiteSpace: 'nowrap',
    verticalAlign: 'middle',
    width: '180px'
  }}>Runner type</td>
            <td style={{
    paddingBottom: '14px',
    verticalAlign: 'middle'
  }}>{runnerType}</td>
          </tr>
          <tr>
            <td style={{
    fontWeight: '600',
    paddingRight: '32px',
    whiteSpace: 'nowrap',
    verticalAlign: 'middle'
  }}>Runner platform</td>
            <td style={{
    verticalAlign: 'middle'
  }}>
              <div style={{
    display: 'flex',
    flexWrap: 'wrap',
    gap: '8px'
  }}>
                {platforms.map((platform, i) => <span key={i} style={{
    background: '#dcfce7',
    color: '#15803d',
    border: '1px solid #bbf7d0',
    borderRadius: '9999px',
    padding: '3px 12px',
    fontSize: '0.85rem',
    fontWeight: '500',
    whiteSpace: 'nowrap'
  }}>
                    {platform} ✅
                  </span>)}
              </div>
            </td>
          </tr>
        </tbody>
      </table>
    </div>;
};

<RunnerMetadata runnerType={`${maia} Hybrid`} platforms={["AWS", "Azure", "Google Cloud", "Snowflake"]} />

Refreshing a {m_runner}'s credentials lets you generate a new **client\_secret** for the {m_runner} in {maia}, to authenticate with the {m_runner} application in your infrastructure. You may wish to do this if, for example, your security policy requires that you change secrets on a regular basis.

<Warning>
  This action will revoke existing credentials and result in disconnecting a running {m_runner}. You must replace your {m_runner} credentials and [restart](/docs/guides/restart-runner) the {m_runner} to reconnect. Ensure you have no pipelines running on the {m_runner} when you use this feature.
</Warning>

***

## How to refresh Maia runner credentials

1. In the left navigation, click <Runners />. Then, select **Runners** from the menu.
2. Locate your {m_runner}, and click the three dots **...**, then click **Runner details**.
3. Click the **Credentials** tab.
4. Click **Refresh**.
5. When asked for confirmation, type the word `refresh` and click **Refresh credentials**.
6. When you receive a notification that the credentials are refreshed, you can click **Reveal** to show the new secret that has been generated.

Apply the new credentials to the {m_runner} in your cloud infrastructure using the relevant guide below: [AWS](#apply-the-new-credentials-aws), [Azure](#apply-the-new-credentials-azure), [Google Cloud](#apply-the-new-credentials-google-cloud), or [Snowflake](#apply-the-new-credentials-snowflake). Until this is done, the {m_runner} status will show as **Unknown** in the **Runners** list, and the {m_runner} can't be used to run pipelines.

***

## Apply the new credentials (AWS)

Once you have refreshed credentials on the **Runner details** page, follow this process to update your AWS-hosted {m_runner} to use the new credentials.

The **client\_secret** used by the {m_runner} is held in your AWS Secrets Manager. The {m_runner} app contains a pointer to this secret, which will not change. To update the secret:

1. Log in to the [AWS Console](https://aws.amazon.com/console/) and locate the ECS service running your {m_runner}. Note the name assigned to the {m_runner}.
2. In Secrets Manager, locate and select the secret that corresponds to the {m_runner} name you noted.
3. Click **Retrieve secret value** to display the existing value, then click **Edit**.
4. Copy in the refreshed **client\_secret** value you obtained from {maia}. Don't change the secret name.
5. Click **Save**.

Now restart the {m_runner}, as described in [Restart a {m_runner}](/docs/guides/restart-runner#restart-an-aws-ecs-fargate-maia-runner).

***

## Apply the new credentials (Azure)

Once you have refreshed credentials on the **Runner details** page, follow this process to update your Azure-hosted {m_runner} to use the new credentials.

1. In the [Azure portal](https://portal.azure.com/#home), select the Container App that holds your {m_runner}.
2. In the Container App's sidebar menu, select **Application** then **containers**.
3. Click the **Environment variables** tab.
4. The **OAUTH\_CLIENT\_SECRET** variable tells you the name of the secret that holds the **client\_secret**.
5. In the Container App's sidebar menu, click **Settings** → **Secrets** and locate the secret name you determined above.
6. Click the edit (pencil) icon next to the secret to edit its value.
7. Copy the refreshed **client\_secret** you obtained from {maia} and paste it into the **Value** field.
8. Click the checkbox at the bottom to acknowledge that you want to proceed with the change.
9. Click **Save**.

Now restart the {m_runner}, as described in [Restart a {m_runner}](/docs/guides/restart-runner#using-the-azure-portal).

***

## Apply the new credentials (Google Cloud)

Once you have refreshed credentials on the **Runner details** page, follow this process to update your GKE-hosted {m_runner} to use the new credentials.

The **client\_secret** is passed to the {m_runner} via your Helm values file (`values-gcp.yaml`). To update it:

1. Open your `values-gcp.yaml` file.
2. Replace the value of `config.oauthClientSecret` with the refreshed **client\_secret** you obtained from {maia}.
3. Run `helm upgrade` to apply the change:

```bash theme={null}
helm upgrade <RELEASE_NAME> . \
  --namespace <NAMESPACE> \
  -f values-gcp.yaml
```

Replace `<RELEASE_NAME>` and `<NAMESPACE>` with the values used during your original deployment (both default to `matillion-agent`).

The Helm upgrade performs a rolling restart of the {m_runner} pods, which will pick up the new credentials automatically.

***

## Apply the new credentials (Snowflake)

Once you have refreshed credentials on the **Runner details** screen, you need to update the secret entry in the Snowflake vault. The **client\_secret** used by the {m_runner} is held in your Snowflake vault. Read [Secrets in Matillion {m_runner} for Snowflake](/docs/guides/snowflake-runner-secrets) for details.