Consume rotating secrets

Plus tier

This feature is available in HCP Vault Secrets Plus tier.

Static long-lived credentials pose a significant security risk due to the potential for accidental and malicious exposure as well as difficulties in revocation once the credentials are compromised. HCP Vault Secrets offers two ways of mitigating this risk: dynamic secrets auto-rotating secrets (described below). For a more in-depth comparison between these two secret types, please refer to this section.

Auto-rotating secrets are credentials that rotate automatically on a periodic basis. They have a limited lifetime of 2 rotation periods (30, 60, or 90 days) and can be used by multiple consuming clients.

Diagram showing how Auto-rotating Secrets are shared by multiple instances of
an application

Prerequisites

An HCP IAM user or service principal with the HCP reader role or higher.
An HCP Vault Secrets app and rotating secret created.
Authenticated to the HCP Portal or HCP CLI

How frequently should the secrets be consumed?

Auto-rotating secrets maintain overlapping sets of active credentials to eliminate application downtime associated with rotation. At any given time, the latest two secret versions will be active and available for consumption.

To ensure that your application is always consuming active credentials, we recommend restarting it at least once every rotation interval. If your application consumes multiple rotating secrets, it should be restarted at least once every min(I1, I2, ..., In) where I1, I2, ..., In are the corresponding rotation intervals. For example, if the application consumes secrets with rotation intervals of [30, 30, 60, 90] days, it should be restarted once every 30 days, regardless of when the secrets actually rotate.

Note

If an auto-rotating secret is manually rotated, we recommend that any applications consuming the secret should be restarted to fetch the latest version.

Note

The recommendations above are not applicable when consuming secrets in Kubernetes using Vault Secrets Operator -- it will ensure that the latest versions of secrets are correctly propagated.

Examples

Note

You can open a secret, and all versions of the secret using the CLI. Use the HCP UI or API to open a specific version of a secret.

View auto-rotating secret

Open plaintext secret:

$ hcp vault-secrets secrets open "test_secret"

Open a plaintext secret from under a specified Vault Secrets application:

$ hcp vault-secrets secrets open "test_secret" --app=test-app

Inject all of the app's secrets as environment variables:

$ hcp vault-secrets secrets run ./my_app.sh

Open all secrets in an app:

curl \
--location "https://api.cloud.hashicorp.com/secrets/2023-11-28/organizations/${HCP_ORG_ID}/projects/${HCP_PROJ_ID}/apps/${APP_NAME}/secrets:open" \
--request GET \
--header "Authorization: Bearer ${HCP_API_TOKEN}" | jq

Open a single secret:

curl \
--location "https://api.cloud.hashicorp.com/secrets/2023-11-28/organizations/${HCP_ORG_ID}/projects/${HCP_PROJ_ID}/apps/${APP_NAME}/secrets/${SECRET_NAME}:open" \
--request GET \
--header "Authorization: Bearer ${HCP_API_TOKEN}" | jq

Consume rotating secrets

Prerequisites

How frequently should the secrets be consumed?

Examples

Additional resources