Overview
Public Beta available!
Automated secret rotation is now available in Public beta! You can try it out for free in our Standard Tier.
Static long lived secrets pose a significant security risk. While organizations want to rotate their secrets frequently, the complexity and coordination involved makes it a challenge to do so on a regular basis.
Coordination: Teams must coordinate each secret rotation to ensure that the team(s) responsible for an application can re-deploy or update the application in time to fetch a new secret value.
Downtime risk: Teams responsible for each application must ensure there is no unplanned downtime when a secret is rotated.
Auto-rotating secrets address both of these problems by automating the secret rotation with overlapping active versions.
Automated secret rotation overview
An HCP Vault Secrets auto-rotating secret is configured with an integration to a service provider, a rotation frequency policy that defines how often the secret should be rotated, and how many active versions of the secret are available.
Once a rotation integration with a third-party provider such as a SaaS service, or a database provider is created, HCP Vault Secrets will have privileged access to manage secrets for that provider.
When the rotation frequency interval is reached, HCP Vault Secrets will initiate the automatic creation of a new credential set using the privileged third-party provider credentials specified in the rotation integration. The previous credential set is still available until the next rotation interval. This guarantees the user that the credential is safe to use for at least the defined rotation frequency.
Example workflow
Auto-rotating secrets are similar to existing HCP Vault Secrets static secrets but uses an integration with a service provider to allow HCP Vault Secrets to create a new overlapping credential set before the previous set is revoked.
When a new credential set is created, there is a grace period where each credential set is active simultaneously. This provides engineering teams time to test the new credential set before the previous set expires.
You create a new auto-rotating secret in HCP Vault Secrets.
- Rotation frequency set to
30 days
. - Active versions set to
2
.
A new secret (v1) is created on the third party provider. There is a single version of the secret available for the third-party provider in the HCP Vault Secrets application. When a user or application reads the secret, this is the only version available.
On day 30, HCP Vault Secrets creates a new secret on the third party provider. A new secret version (v2) is added as the latest active version of the secret in the HCP Vault Secrets application. The previous version is still available on the provider and can be retrieved from HCP Vault Secrets.
On day 60, the process is repeated again. The new secret version (v3) is now the active version. Because there are always two active versions, the initial secret (v1) is now revoked in HCP Vault Secrets and deleted from the third party provider.
If required, you can manually rotate the secret prior to the next rotation interval. Care should be taken with this endpoint because it could cause the oldest secret version to be revoked unexpectedly early.
Manually rotating the secret prior to the next rotation interval will reset the rotation interval. For example, if the rotation interval is set to 30 days and you manually rotate the secret on day 15, the next automatic rotation will occur 30 days from manual rotation.
Limitations
- The
vlt
CLI does not support fetching rotating secrets. This feature is available in our new HCP CLI where you can fetch rotating secrets.