CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Secret Rotation

devops Intermediate
debt(d8/e7/b5/t5)
d8 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'silent in production until users hit it' (d9), but secret managers like aws-secrets-manager/vault/doppler can report stale secrets and rotation age, so slightly better at d8. Without those tools, lack of rotation is invisible until breach.

e7 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor across the codebase' (e7). Implementing rotation requires inventorying all secrets, updating every consumer to support overlap, automating the rotation pipeline, and coordinating revocation — spans many files and infra.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). Per applies_to (web, cli), rotation policy affects multiple deployment contexts and adds ongoing operational overhead to every service consuming secrets, but doesn't define the system's shape.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap most devs eventually learn' (t5). The misconception is that rotation requires downtime; the documented gotcha is forgetting the overlap window and updating all consumers before revoking the old secret — a classic learned lesson.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

key rotation credential rotation secret management

TL;DR

The practice of periodically replacing cryptographic secrets, API keys, and credentials — limiting the window of exposure if a secret is compromised without triggering a breach.

Explanation

Secrets that never rotate are permanent liabilities — a leaked key from 3 years ago is still valid if it was never rotated. Rotation strategies: scheduled (every 90 days), event-driven (on team member departure, suspected breach), and zero-downtime (new key deployed alongside old, then old revoked). AWS Secrets Manager and HashiCorp Vault can automate rotation for database credentials, rotating the password and updating all application references without downtime.

Common Misconception

Rotating secrets requires application downtime — zero-downtime rotation deploys the new credential alongside the old, updates all consumers, then revokes the old one.

Why It Matters

A secret that was silently compromised 6 months ago continues to provide access indefinitely without rotation — rotation limits the damage window from indefinite to bounded.

Common Mistakes

  • Manual rotation that gets deferred — automate rotation; manual processes are always delayed.
  • Rotating the secret without updating all consumers — causes outages when the old secret is revoked.
  • No secret inventory — cannot rotate what you cannot find; maintain a registry of all secrets and their consumers.
  • Using the same secret across environments — a compromised dev secret should not be valid in production.

Code Examples

✗ Vulnerable 
# Hardcoded secret, never rotated:
# .env (committed to git 3 years ago):
DB_PASSWORD=super_secret_2021
API_KEY=sk_live_abc123
# Same values used for 3 years
# Leaked in git history — still valid
# Former employee knows them — still valid
✓ Fixed 
# Automated rotation with AWS Secrets Manager:
# aws secretsmanager create-secret --name prod/db-password
# aws secretsmanager rotate-secret --secret-id prod/db-password
#   --rotation-lambda-arn arn:aws:lambda:...
#   --rotation-rules AutomaticallyAfterDays=30

# Application reads secret at startup (not hardcoded):
$secret = json_decode(
    Aws\SecretsManager\SecretsManagerClient::getSecretValue(['SecretId' => 'prod/db-password'])['SecretString'],
    true
);
$pdo = new PDO('mysql:host=' . $secret['host'], $secret['username'], $secret['password']);
Added 15 Mar 2026
Edited 22 Mar 2026
Views 26

Curated in Warsaw under one editorial standard. 1,448 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 1 ping F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 1 ping T 0 pings W 1 ping T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F
Agents 0
No pings yet today
No pings yesterday
Amazonbot 7 Perplexity 7 Google 4 Unknown AI 3 Ahrefs 2
Also referenced
Hardcoded Credentials 34 API Key Exposure 31 Principle of Least Privilege 28 Key Management & Rotation 27
How they use it
crawler 21 crawler_json 1 pre-tracking 1
Related categories
security 4.6k general 1.6k devops 1.2k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: High
⚡ Quick Fix
Automate secret rotation so it happens without human intervention — store the new credential alongside the old, deploy PHP workers picking up the new value, then revoke the old; zero downtime
📦 Applies To
any web cli
🔗 Prerequisites
🔍 Detection Hints
Secrets never rotated since creation; manual rotation requiring downtime; no rotation schedule; no overlap period for zero-downtime rotation
Auto-detectable: ✗ No aws-secrets-manager vault doppler
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Low ✗ Manual fix Fix: High Context: File
CWE-798
✓ schema.org compliant