Secret lifetimes

[domenkozar]

Ideally, secrets live for a certain amount of time, then it's time to request a new secret.

There are two aspects where this becomes tricky:

• keep the state of how long the secret is still valid for
• provide an api when to reload the app after a new secret is fetched

The API would look something like:

let secrets = SecretSpec::builder().load()?;

for secret in secrets.next() {
   ...
}

for mysecret in secrets.mysecret.next() {
   ...
}

[aggaksha]

It depends on how secrets are being loaded when needed. If the env file captures a secret reference/ name (such as Secret ARN from AWS Secrets Manager), the env file is evaluated to the run time, and secret value are fetched at that time, you will have the latest value of secret. Of course, once evaluated to secret value, it can not be updated without re-starting the application.
With secret rotation being an async process on AWS Secrets Manager, we have solved this problem through our open source clients such as Secrets Manager Agent and CSI Driver. Happy to engage with the team and help solve this industry-wide challenge.

[domenkozar]

This will come after #9

[blaggacao]

provide an api when to reload the app after a new secret is fetched

Or send a process signal, which may be understood by the app as instructions to just reload the credential context, instead the entire app.

[blaggacao]

keep the state of how long the secret is still valid for

Or fetch validity information from a revocation mechanism - this may be an advanced use case and not necessary for many scenarios, but it is critical enough in others that it might be worth considering plugging into some sort of established standard.