Secrets Rotation Automation: Building a Pipeline That Actually Rotates

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Most organizations treat secrets rotation as an annual compliance exercise that produces a spreadsheet, three Jira tickets, and a quiet skip when production is busy. The result is multi-year-old database passwords, API keys whose original owners left the company, and signing keys nobody is willing to touch because nobody knows everywhere they are consumed. The risk is not theoretical: stolen credentials are involved in roughly 60% of breach root causes, and the dwell time between compromise and detection averages well over a hundred days. A secret that rotates every 90 days bounds the blast radius of a quiet compromise to a quarter; a secret that has not rotated in five years is a key to the kingdom.
The reason rotation fails in practice is rarely the rotation itself. It is the propagation. Generating a new database password is one API call. Updating that password in the seven services that connect to the database, the four CI/CD pipelines that run migrations, the two batch jobs that read overnight, and the one monitoring agent everyone forgot exists, that is the part that breaks. Automation has to solve the propagation problem, not just the generation problem. This guide walks through the architectural components, the mechanics of dual-credential rotation, runtime injection patterns, per-class rotation policies, and how to test rotation without taking down production.
Architecture Components of a Rotation Pipeline
A working secrets rotation pipeline has four components and you need all of them. First, a secrets store that is the canonical source of truth: HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, or CyberArk Conjur. The store enforces access control, versioning, and audit logging. Without a canonical store, secrets sprawl into config files, environment variables in CI, and chat messages, and rotation becomes impossible because you do not know where the secret lives. Second, a rotation function: the code that generates a new credential, updates the target system (database, IAM user, SaaS API), and writes the new value back to the store. AWS Secrets Manager calls these rotation Lambda functions; Vault calls them database secret engines or rotate-root endpoints; you can also build them yourself as scheduled jobs. Third, a versioning and sync mechanism that exposes new credential versions to consumers without requiring them to be restarted simultaneously, which is what makes zero-downtime rotation possible. Fourth, audit logging that records who accessed which secret version and when, both for compliance and for incident response when you need to know which version was active at the time of a suspected leak. Skipping any one of these turns rotation into a manual process with automation wrapper, which is the worst of both worlds.
Database Credentials: Dynamic Secrets vs Dual-Credential Rotation
Database credentials are the canonical secrets rotation problem because they are high-value, widely consumed, and break things loudly when mishandled. Two patterns dominate. Dynamic secrets, pioneered by Vault, generate a fresh database user with a short TTL (typically 1 hour to 24 hours) on every request. The application asks Vault for credentials, gets a unique user and password, uses it for the duration of the TTL, and Vault revokes the user when the TTL expires. There is nothing to rotate because nothing is long-lived. The constraint is that the application must be Vault-aware and able to refresh credentials before expiry; legacy applications with hardcoded connection strings cannot use this pattern. The dual-credential window pattern handles legacy applications and shared credentials. The database has two users, alpha and beta. At any given time, all applications use alpha. To rotate: generate a new password for beta, update the secrets store, wait for the propagation window (typically 5 to 30 minutes depending on consumer refresh interval), verify all consumers have picked up beta credentials and are connecting successfully, then disable alpha. On the next rotation, beta is the old credential and alpha is regenerated. This gives you zero-downtime rotation for legacy stacks. AWS Secrets Manager's built-in RDS rotation Lambda implements exactly this pattern with the AWSCURRENT and AWSPENDING staging labels.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
API Keys, Service Tokens, and the External Service Problem
Database rotation is tractable because you control the database. API keys for external services (Stripe, Twilio, SendGrid, payment gateways, third-party data providers) are harder because the rotation interface, if one exists, is bespoke per vendor, and many vendors offer no programmatic key rotation at all. The pragmatic approach is to build a per-service rotation runbook stored alongside the secret in your secrets manager, and to track external secrets in a separate inventory with explicit rotation owners. For services with rotation APIs (AWS IAM access keys via CreateAccessKey/DeleteAccessKey, GitHub personal access tokens via the REST API, Stripe restricted keys, Datadog API keys), automate the rotation the same way you do database credentials, with a dual-credential window. For services without rotation APIs, document the manual procedure, schedule a quarterly review, and accept that rotation requires human action; track the last rotation date as a metric and alert when it exceeds policy. Service-to-service tokens (OAuth client secrets, mutual TLS certificates, JWT signing keys) should be rotated more aggressively (30 to 90 days) because they typically have broad scopes and are widely cached. For internal service tokens, prefer short-lived workload identities (SPIFFE/SPIRE, cloud workload identity federation, Kubernetes service account tokens with audience restrictions) over long-lived bearer tokens; this turns the rotation problem into an identity problem, which is easier to solve.
Runtime Injection: Keep Secrets Out of Images and Git
Secrets that are baked into container images, committed to Git, or stored in CI environment variable settings are not really secrets, they are public knowledge with extra steps. Every image layer is cached, every Git commit is replicated, every CI run log is searchable. The rule is simple: secrets enter the running process at runtime, from the secrets store, never sooner. Implementation patterns: Vault Agent runs as a sidecar or init container, authenticates the workload identity to Vault, fetches secrets, and writes them to a tmpfs volume or templates them into config files; the application reads from the file at startup and Vault Agent rewrites the file when secrets rotate. AWS Parameter Store and Secrets Manager integrate with ECS task definitions and EKS via the Secrets Store CSI Driver; the secret is materialized at task or pod start. Kubernetes External Secrets Operator (ESO) syncs from an external store into native Kubernetes Secret objects, which is convenient but means the secret lives in etcd; encrypt etcd at rest and tightly control RBAC on Secret resources, or use the CSI driver pattern that bypasses Secret objects entirely. For CI/CD, use OIDC federation: GitHub Actions, GitLab CI, and CircleCI all support exchanging a workload identity token for short-lived cloud credentials, which eliminates static cloud access keys in CI variables. The end state is that grep -r 'password' across your repos and images returns nothing meaningful.
Rotation Policy by Secret Class and Canary Testing
One-size-fits-all rotation policy is wrong because the cost and risk of rotation varies dramatically by secret class. A working policy: database passwords on a 90-day rotation, service-to-service bearer tokens on 30 days, externally-issued long-lived API keys on 180 days with mandatory access review at each rotation, code signing keys and root CA keys on annual rotation with a planned overlap period so old signatures remain verifiable, encryption keys for data at rest on annual rotation with re-encryption on read or a key derivation hierarchy that avoids re-encrypting everything. Workload identities and short-lived tokens (TTL under 24 hours) do not need a rotation policy because they rotate on every use. Before rolling rotation out to production, do canary rotation. Pick one non-critical workload that uses the secret, rotate just that workload's credentials, monitor for connection failures, latency anomalies, and error rate spikes for 24 hours, then proceed. For shared credentials with wide blast radius, do a blast radius analysis first: query the audit log of your secrets store for every principal that has read the secret in the last 90 days, validate each consumer can handle rotation, and only then schedule. The goal is to make rotation routine and uneventful, not heroic. Heroic rotation events are how rotation policy dies the next year.
The bottom line
Secrets rotation fails because the rotation itself is one small piece of a much larger propagation problem. Solve propagation first with a canonical store, runtime injection, and dual-credential windows, and rotation becomes a config change rather than a war room.
The metric to watch is not whether rotation policy exists; it is the age distribution of secrets in your store. Build a dashboard that surfaces every secret older than its policy maximum, route it to the owning team, and let leadership see the curve flatten over a quarter. That is how the program becomes durable.
Frequently asked questions
Should I use Vault dynamic secrets or dual-credential rotation?
Dynamic secrets are superior when your application can refresh credentials before TTL expiry and you control the codebase. For legacy applications with hardcoded connection strings, third-party software, and shared databases, dual-credential rotation is more practical and works with any consumer.
How do I rotate a secret without taking down production?
Use the dual-credential window pattern: provision a new credential alongside the old, propagate to consumers via your secrets store, verify all consumers are using the new credential, then disable the old. AWS Secrets Manager's AWSCURRENT/AWSPENDING staging labels implement this natively.
Is it safe to store secrets in Kubernetes Secret objects?
Only if etcd is encrypted at rest, RBAC strictly limits which service accounts can read Secret resources in each namespace, and you log access via audit policy. For higher-assurance environments, prefer the Secrets Store CSI Driver pattern that materializes secrets directly into pod volumes without creating Secret objects.
How often should I rotate API keys for external SaaS services?
180 days is a reasonable default for long-lived externally-issued keys, paired with an access review at each rotation. Service-to-service tokens you control should rotate every 30 to 90 days. Workload identities with TTLs under 24 hours do not need scheduled rotation because they rotate on every use.
What is the most common cause of rotation breaking production?
Consumers that cache the credential at startup and never refresh, combined with rotation that immediately disables the old credential. The fix is a dual-credential window that gives consumers a propagation period, plus automated verification that all consumers have picked up the new credential before disabling the old.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
