diff --git a/content/vault/v1.21.x (rc)/content/api-docs/secret/databases/index.mdx b/content/vault/v1.21.x (rc)/content/api-docs/secret/databases/index.mdx
index 83814b81c5..954173b3d0 100644
--- a/content/vault/v1.21.x (rc)/content/api-docs/secret/databases/index.mdx
+++ b/content/vault/v1.21.x (rc)/content/api-docs/secret/databases/index.mdx
@@ -551,7 +551,7 @@ this in order to know the password.
- `self_managed_password` `(string)` –
The password corresponding to the username in the database. Required when using
the Rootless Password Rotation workflow for static roles. Only enabled for select
- DB engines (Postgres). This parameter is deprecated in favor of `password`.
+ DB engines (Postgres, Oracle). The `self_managed_password` parameter is deprecated in favor of `password`.
- `db_name` `(string: )` - The name of the database connection to use
for this role.
diff --git a/content/vault/v1.21.x (rc)/content/docs/secrets/databases/oracle.mdx b/content/vault/v1.21.x (rc)/content/docs/secrets/databases/oracle.mdx
index e6d82cdb8c..432af58201 100644
--- a/content/vault/v1.21.x (rc)/content/docs/secrets/databases/oracle.mdx
+++ b/content/vault/v1.21.x (rc)/content/docs/secrets/databases/oracle.mdx
@@ -156,6 +156,76 @@ you will need to enable ipc_lock capabilities for the plugin binary.
See the [Commands](/vault/docs/commands#files) docs for more details.
+### Rootless configuration and password rotation for static roles
+
+@include 'alerts/enterprise-only.mdx'
+
+The Oracle database plugin supports static roles (including password rotation)
+with a rootless DB connection configuration.
+
+With a rootless configuration you can onboard static DB users and use static
+role rotation through Vault without requiring privileged root accounts for
+connection configuration. Instead of using a single root connection, each static
+role has multiple dedicated connections to the database. We highly recommend
+onboarding database users as static roles with the minimum set of privileges
+possible. Each static role opens a new connection into the database and granting
+minimum privileges helps Vault avoid creating multiple, highly-privileged
+connections to an external system.
+
+With rootless connections, Vault can become out of sync with the database user
+if out-of-band password rotations occur. To resolve the associated rotation
+errors, you need to manually update the password in your external Oracle
+database.
+
+Vault does not support dynamic roles/credentials with rootless DB connections.
+
+## Setup
+
+1. Enable the database secrets engine if it is not already enabled:
+
+ ```shell-session
+ $ vault secrets enable database
+ Success! Enabled the database secrets engine at: database/
+ ```
+
+ By default, the secrets engine will enable at the name of the engine. To
+ enable the secrets engine at a different path, use the `-path` argument.
+
+1. Configure a connection to your database without root credentials and enable
+ the rootless workflow using the `self_managed` parameter. For example:
+
+ ```shell-session
+ $ vault write database/config/my-oracle-database \
+ plugin_name="oracle-database-plugin" \
+ allowed_roles="my-role" \
+ connection_url="{{username}}/{{password}}@//localhost:1521/database-name" \
+ self_managed=true
+ ```
+
+1. Configure a static role that creates a dedicated connection to a user in
+ the Oracle database with the `password` parameter. For example:
+
+ ```shell-session
+ $ vault write database/static-roles/my-role \
+ db_name="my-oracle-database" \
+ username="staticuser" \
+ password="password" \
+ rotation_period="1h"
+ ```
+
+1. Verify the new static credentials with `vault read`. For example:
+
+ ```shell-session
+ $ vault read database/static-creds/my-role
+ Key Value
+ --- -----
+ last_vault_rotation 2024-09-11T14:15:13.764783-07:00
+ password XZY42BVc-UO5bMsbgxrW
+ rotation_period 1h
+ ttl 59m55s
+ username staticuser
+ ```
+
### Connect using SSL
If the Oracle server Vault is trying to connect to uses an SSL listener, the database