Secrets Rotation Automation
Automated secrets rotation system for BuyWhere API services.
Overview
This system automates the rotation of secrets across:
- AWS Secrets Manager (ECS deployments)
- Kubernetes secrets (K8s staging/production)
Secrets Managed
| Secret | AWS Secret Name | K8s Secret Key | Purpose |
|---|---|---|---|
| DATABASE_URL | buywhere/DATABASE_URL | DATABASE_URL | Primary PostgreSQL connection |
| DATABASE_REPLICA_URL | buywhere/DATABASE_REPLICA_URL | DATABASE_REPLICA_URL | Replica DB connection |
| PGBOUNCER_URL | buywhere/PGBOUNCER_URL | PGBOUNCER_URL | PgBouncer connection pool |
| REDIS_URL | buywhere/REDIS_URL | REDIS_URL | Redis cache connection |
| JWT_SECRET_KEY | buywhere/JWT_SECRET_KEY | JWT_SECRET_KEY | JWT signing key |
| POSTGRES_PASSWORD | buywhere/POSTGRES_PASSWORD | POSTGRES_PASSWORD | Database user password |
| BUYWHERE_API_KEY | buywhere/BUYWHERE_API_KEY | BUYWHERE_API_KEY | API authentication |
| R2_ACCESS_KEY_ID | buywhere/R2_ACCESS_KEY_ID | R2_ACCESS_KEY_ID | Cloudflare R2 access |
| R2_SECRET_ACCESS_KEY | buywhere/R2_SECRET_ACCESS_KEY | R2_SECRET_ACCESS_KEY | Cloudflare R2 secret |
| TYPESENSE_API_KEY | buywhere/TYPESENSE_API_KEY | TYPESENSE_API_KEY | Typesense search API |
Usage
CLI Commands
# Rotate specific service secrets
python scripts/secrets_rotation.py rotate --service database --provider aws
# Rotate all secrets (dry run)
python scripts/secrets_rotation.py rotate-all --dry-run
# Rotate all secrets (live)
python scripts/secrets_rotation.py rotate-all
# Check secrets status
python scripts/secrets_rotation.py status
# Restart services after rotation
python scripts/secrets_rotation.py restart
GitHub Actions
The workflow runs on:
- Schedule: 1st of every month at midnight UTC
- Manual trigger: Via workflow_dispatch with options
Rotation Process
- Generate new secret values using cryptographically secure random generation
- Update AWS Secrets Manager with new values
- Update Kubernetes secrets in staging and production namespaces
- Restart ECS services to pick up new secrets (force new deployment)
- Restart K8s deployments (rollout restart)
- Health check verifies services are operational
AWS IAM Permissions Required
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:ListSecrets"
],
"Resource": "arn:aws:secretsmanager:ap-southeast-1:*:secret:buywhere/*"
},
{
"Effect": "Allow",
"Action": [
"ecs:UpdateService",
"ecs:DescribeServices",
"ecs:ListServices"
],
"Resource": "*"
}
]
}
Kubernetes RBAC Required
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: secrets-rotation
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "patch", "list"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "patch"]
Environment Variables
| Variable | Description | Default |
|---|---|---|
AWS_REGION | AWS region for Secrets Manager and ECS | ap-southeast-1 |
KUBECONFIG | Path to kubeconfig file | - |
K8S_CONTEXT | Kubernetes context to use | - |
ECS_CLUSTER | ECS cluster name | buywhere-api |
Security Considerations
- All secrets are generated using Python's
secretsmodule (cryptographically secure) - Old secret values are overwritten in place
- Service restarts ensure no downtime during rotation
- Health checks verify operational status after rotation
- Rotation logs are maintained for audit trail
Troubleshooting
Rotation Fails
- Check AWS credentials are valid and not expired
- Verify IAM permissions for Secrets Manager
- Ensure ECS service is not in a failing state
- Check K8s secrets exist in the correct namespace
Services Don't Pick Up New Secrets
- Verify rollout restart completed successfully
- Check ECS service has force-new-deployment triggered
- Verify pods are running with new secret values
- Check application logs for authentication errors
Automation Schedule
| Schedule | Purpose |
|---|---|
| Monthly (1st of month) | Regular rotation per security policy |
| On-demand | Via GitHub Actions workflow_dispatch |
Links
- BUY-2884 - Issue tracking this implementation