Secrets Rotation and Lifecycle Management
Secrets Rotation and Lifecycle Management
Regular secrets rotation limits the impact of compromised credentials. Automated rotation eliminates the manual effort and risk of human error in updating secrets. However, rotation must be coordinated to avoid breaking running applications.
# Automated secrets rotation coordinator
class SecretsRotationCoordinator:
def __init__(self, vault_client, notification_client):
self.vault = vault_client
self.notifier = notification_client
self.rotation_schedule = {}
def schedule_rotation(self, secret_path: str, rotation_days: int):
"""Schedule automatic rotation for a secret"""
self.rotation_schedule[secret_path] = {
'interval_days': rotation_days,
'last_rotated': self._get_last_rotation_time(secret_path),
'rotation_handler': self._get_rotation_handler(secret_path)
}
def check_and_rotate(self):
"""Check all secrets and rotate if needed"""
for secret_path, config in self.rotation_schedule.items():
if self._needs_rotation(config):
try:
self._perform_rotation(secret_path, config)
except Exception as e:
self.notifier.alert(
f"Failed to rotate {secret_path}: {e}",
severity='high'
)
def _perform_rotation(self, secret_path: str, config: dict):
"""Perform coordinated secret rotation"""
# Generate new secret
new_secret = config['rotation_handler'].generate_new()
# Create new version in Vault
self.vault.create_secret_version(secret_path, new_secret)
# Update external systems (phased rollout)
affected_services = self._get_affected_services(secret_path)
# Phase 1: Update canary instances
canary_services = [s for s in affected_services if s.is_canary]
for service in canary_services:
service.update_secret(new_secret)
time.sleep(60) # Monitor for issues
# Phase 2: Update remaining instances
for service in affected_services:
if not service.is_canary:
service.update_secret(new_secret)
# Phase 3: Deactivate old version
time.sleep(300) # Grace period
self.vault.deactivate_old_version(secret_path)
# Log rotation
self._log_rotation(secret_path)