Chapter DSecrets rotation labPage 4 of 8

Secrets rotation lab

Prove behavior with deterministic tests

Build an answer API and background indexer sharing a provider credential through a versioned secrets manager as an operable release, not a slide-deck example.

~14 minValidation

1Try it yourself

Playground

Secrets rotation lab

Revoke leaked keys, rotate on schedule, audit access.

API key found in a public gist

Before you start

Why this matters

Before changing code, write the single production outcome this chapter must prove and the signal that would stop you. For this lab, the service boundary is SecretRef(name, version) is injected at runtime; health telemetry reports only credential_version and authentication result, never secret bytes. Record one request identifier you can follow from ingress through the final decision. If you cannot name the owner of the stop decision, the rollout is not yet controlled.

The source lesson requires a dual-key window: issue v2, deploy readers, confirm traffic, then revoke v1 and audit every read. This chapter turns that compact lesson into implementation evidence. The running scenario is an answer API and background indexer sharing a provider credential through a versioned secrets manager. You will keep the same scenario across all eight chapters so setup decisions, tests, telemetry, and rollback controls accumulate into one coherent system rather than eight disconnected exercises.

2Learn the idea

Read

Build a layered test suite

Start with pure unit tests for deterministic decisions: schema checks, bucketing or routing, threshold comparisons, and redaction. Use fixed clocks and seeded identifiers. Then add contract tests against every fake dependency and one sandbox integration. Finally, run an end-to-end fixture through the public endpoint and assert the durable record and telemetry event, not just the HTTP response.

Turn the declared boundary into test cases. A valid request produces SecretRef(name, version) is injected at runtime; health telemetry reports only credential_version and authentication result, never secret bytes. Missing required fields return a stable client error. Unknown schema versions are quarantined or rejected. Authorization failure occurs before external calls. A repeated identifier cannot duplicate effects. A timeout returns the documented degraded response. Every branch carries the revision and request ID.

Read

Test the decision metrics

For AI quality, keep a versioned JSONL golden set with input, permitted facts, forbidden claims, and expected disposition. Grade citations or fact support deterministically where possible; use a model grader only with a pinned grader prompt and periodic human calibration. Report confidence intervals and case-level failures, not one blended score. The release metric is authentication failures, consumers by credential version, secret-read anomalies, and time from issue to old-key revocation.

Add an adversarial set specifically for unknown consumers, processes that cache credentials forever, revoking before reload, partial regional rollout, and credentials copied outside the manager. Each fixture needs a short explanation of the production incident it prevents. This stops the suite becoming a pile of examples nobody trusts. When a real incident occurs, first add the smallest reproducing fixture, then fix the implementation.

Read

Encode gates

CI should reject schema drift, unsafe configuration, failed deterministic tests, and quality regression beyond the declared tolerance. A flaky quality check is not permission to ignore failures. Quarantine it with an owner and deadline while preserving a stable blocking subset. Print revisions, seed, and dataset digest so any failure can be reproduced locally.

Create a rollout-gate function that accepts observed metrics and returns promote, hold, or rollback plus reasons. Test boundary values: exactly at threshold, one sample below minimum, stale metrics, and missing guardrails. Missing or stale evidence must return hold. This small function prevents a deployment script from silently interpreting policy differently from the runbook.

Read

Review the evidence

Have another person run the acceptance command without verbal guidance. They should be able to locate the failed fixture, identify its owning component, and explain whether it blocks shipment. Save a concise test report containing counts, failures, dataset digest, and environment. Tests become release evidence only when their inputs and meaning are reviewable.

Read

Run a reproducible contract probe

Store a fixture with the local test harness so the provider credential rotation decision is reviewable rather than hidden in a mock. Pinning the revision and thresholds prevents a later environment change from silently changing what “pass” means.

secrets_rotation_lab_contract:
  secret_name: provider-api-key
  old_version: v1
  new_version: v2
  consumers: [answer-api, indexer]
  grace_window_minutes: 30
  expected_active_version: v2

Run the same fixture unchanged and with one guardrail deliberately violated. The expected transcript makes the gate repeatable by a teammate who was not present when it was authored.

$ python3 -m pytest -q -k "secrets_rotation_lab and contract"
2 passed in 0.41s
$ CONTRACT_REVISION=provider-key-v2 python3 -m pytest -q -k "rejects_stale_evidence"
1 passed in 0.18s

Expected output is a stable pass count plus provider-key-v2 in the report. If another revision appears, inspect fixture loading and environment precedence before changing thresholds. If stale evidence promotes instead of holding, stop: the gate is unsafe even if quality checks pass. Preserve the seed and failing fixture so the result can be reproduced without production traffic.

Checking tutor…

Continue learning · glossary & guides