Secret Rotation Pattern

securityHard
Applicability

When to Use

When secrets have maximum age policies
When compliance requires regular credential rotation
When you want to minimize blast radius of leaked secrets
Overview

How It Works

This pattern automates the rotation of API keys, database passwords, and other credentials used by MCP servers. The rotation agent generates a new secret, updates the credential in Vault, updates the consuming service, verifies the new credential works, and then revokes the old one. The key to zero-downtime rotation is the overlap period: both old and new credentials are valid simultaneously during the transition. The agent verifies the new credential works before revoking the old one.
Implementation

Code Example

typescript
async function rotateDBPassword(serviceName) {
  // Generate new password
  const newPassword = generateSecurePassword(32);
  
  // Update in database (both passwords work during transition)
  await postgres.query("ALTER ROLE $1 WITH PASSWORD $2", [serviceName, newPassword]);
  
  // Store in Vault
  await vault.kvPut({ path: `secrets/${serviceName}/db-password`, data: { password: newPassword, rotatedAt: new Date().toISOString() } });
  
  // Verify new credential works
  try {
    await testConnection(serviceName, newPassword);
  } catch (err) {
    // Rollback: restore old password
    const oldPassword = await vault.kvGet({ path: `secrets/${serviceName}/db-password`, version: -1 });
    await postgres.query("ALTER ROLE $1 WITH PASSWORD $2", [serviceName, oldPassword]);
    throw err;
  }
  
  await slack.sendMessage({ channel: "#security", text: `Secret rotated: ${serviceName}/db-password` });
}

Quick Info

Categorysecurity
ComplexityHard

Need Architecture Help?

Our team designs custom automation architectures.

Get in Touch
CortexAgent Customer Service

Want to skip the form?

Our team is available to help you get started with CortexAgent.

This chat may be recorded for quality assurance. You can view our Privacy Policy.