grafclouds.com / documents / training / devops-challenges / secrets-rotation-broke-prod

Secrets Rotation Took Down Prod at 3 AM. Pin Credentials?

Advanced ~13 min read
Security

Scenario

Shortly after 3 AM, a newly automated rotation job changed the production database password: it updated the database and wrote the new value to the secrets manager, exactly as designed. What it did not account for was every service that had already read the old value — connection pools and cached configs across a dozen services kept presenting the retired credential, authentication failures cascaded, and production was down for an hour and a half. The rollout had every classic mistake at once: first production run applied fleet-wide, executed overnight, and no alerting on authentication-failure rates. The rotation itself only existed because a security audit required it.

In the blameless-in-name-only postmortem, a colleague draws the hard line: "Automation just proved it can take us down. Pin the credentials, rotate by hand once a year, and we never have this outage again."

The Quick Fix on the Table

Disable automated rotation and pin long-lived credentials. The outage class disappears immediately, nobody gets paged at 3 AM by a rotation job, and the change costs nothing today.

Interview · Round 1

The quick fix is on the table and the room is waiting for your call. Would you sign off on it? Take a position and justify it — out loud or on paper — before revealing the analysis.