Consume rotating secrets
Plus tier
This feature is available in HCP Vault Secrets Plus tier.
Static long-lived credentials pose a significant security risk due to the potential for accidental and malicious exposure as well as difficulties in revocation once the credentials are compromised. HCP Vault Secrets offers two ways of mitigating this risk: dynamic secrets auto-rotating secrets (described below). For a more in-depth comparison between these two secret types, please refer to this section.
Auto-rotating secrets are credentials that rotate automatically on a periodic basis. They have a limited lifetime of 2 rotation periods (30, 60, or 90 days) and can be used by multiple consuming clients.
Prerequisites
- An HCP IAM user or service principal with the HCP reader role or higher.
- An HCP Vault Secrets app and rotating secret created.
- Authenticated to the HCP Portal or HCP CLI
How frequently should the secrets be consumed?
Auto-rotating secrets maintain overlapping sets of active credentials to eliminate application downtime associated with rotation. At any given time, the latest two secret versions will be active and available for consumption.
To ensure that your application is always consuming active credentials, we recommend
restarting it at least once every rotation interval. If your application consumes multiple
rotating secrets, it should be restarted at least once every min(I1, I2, ..., In)
where
I1, I2, ..., In
are the corresponding rotation intervals. For example, if the application
consumes secrets with rotation intervals of [30, 30, 60, 90] days
, it should be restarted
once every 30 days, regardless of when the secrets actually rotate.
Note
If an auto-rotating secret is manually rotated, we recommend that any applications consuming the secret should be restarted to fetch the latest version.
Note
The recommendations above are not applicable when consuming secrets in Kubernetes using Vault Secrets Operator -- it will ensure that the latest versions of secrets are correctly propagated.
Examples
Note
You can open a secret, and all versions of the secret using the CLI. Use the HCP UI or API to open a specific version of a secret.