173 Secrets Management and Rotation
173 Secrets Management and Rotation
Secrets are dynamic credentials with lifecycle, not static configuration strings.
Rotation Sequence
issue new secret -> readers accept both -> writers switch -> old secret revokedDesign Constraints
- Never embed secrets in source or build artifacts.
- Support runtime refresh without full process restarts when possible.
- Fail startup quickly when required secrets are missing.
Incident Prevention
Most secret-related incidents come from rotation choreography errors. The dual-read transition window is critical for safe cutovers.