Secret Rotation
Automatic and manual secret rotation via Vault Service (port 8090).
Secret Rotation
Automatic and manual secret rotation via Vault Service (port 8090).
Rotation Worker Configuration
From apps/vault-service/src/config/env.ts:
| Setting | Environment Variable | Default |
|---|---|---|
| Enabled | ROTATION_WORKER_ENABLED |
true |
| Poll interval | ROTATION_WORKER_POLL_INTERVAL_MS |
60,000 (1 min) |
| Batch size | ROTATION_WORKER_BATCH_SIZE |
10 |
Rotation Triggers
Scheduled
Rotation is driven by each secret's rotationPolicy.
The policy supports:
intervalSeconds(minimum 300)- optional
expiresAt(unix seconds)
On-demand
POST /vault/v1/secrets/{id}/rotate
Event-driven
- Compromise detected
- Personnel change
- Compliance requirement
Rotation process
1. Generate new secret
New version created with fresh value.
Rotation creates a new secret version. Previous versions remain retrievable via the versioned endpoints.
Rotation strategies
Immediate
- New secret active immediately
- Old secret revoked
- Use for compromises
Gradual
- Overlap period for transition
- Consumers update at own pace
- Use for planned rotation
Blue-green
- Deploy with new secret
- Switch traffic
- Revoke old secret
Custom pre/post rotation webhooks are not implemented in this repo.