Technology Encyclopedia Home >How to integrate key rotation in CI/CD pipeline?

How to integrate key rotation in CI/CD pipeline?

Created on 2025-07-29 18:35:23
20

Integrating key rotation in a CI/CD pipeline ensures cryptographic keys (e.g., API keys, database credentials, TLS certificates) are regularly updated to minimize security risks. Here’s how to do it, with examples and Tencent Cloud recommendations:

Steps to Integrate Key Rotation in CI/CD

  1. Automate Key Generation
    Use tools like HashiCorp Vault, AWS Secrets Manager (or Tencent Cloud Secrets Manager) to generate and store keys securely. The CI/CD pipeline can call these services to fetch or rotate keys.

    Example:

    • A script in the pipeline triggers Tencent Cloud Secrets Manager API to create a new version of a secret (e.g., a database password).

  2. Update Applications to Use New Keys
    Modify deployment scripts to fetch the latest key from the secrets manager. Ensure applications restart or reload configurations dynamically.

    Example:

    • A Kubernetes deployment hook (via CI/CD) pulls the latest TLS certificate from Tencent Cloud Secrets Manager and updates the pod’s volume.

  3. Schedule or Trigger Rotation

    • Scheduled Rotation: Use cron jobs in the pipeline (e.g., via GitHub Actions or Jenkins) to rotate keys weekly/monthly.
    • Event-Based Rotation: Rotate keys after deployments or security incidents (e.g., a pipeline stage triggers rotation post-deployment).

    Example:

    • A Tencent Cloud Serverless Function (SCF) runs daily to rotate API keys stored in Secrets Manager and updates dependent services.

  4. Validate and Rollback

    • Test the new key in a staging environment before production.
    • If rotation fails, the pipeline should revert to the previous key (stored in Secrets Manager’s version history).

    Example:

    • A CI/CD stage deploys a canary release with the new key, monitors logs, and rolls back if errors occur.

Tencent Cloud Services for Key Rotation

  • Secrets Manager: Securely store and auto-rotate secrets (API keys, DB credentials).
  • Key Management Service (KMS): Manage encryption keys and automate key rotation policies.
  • SCF (Serverless Cloud Function): Trigger key rotation workflows on a schedule or event.

Example Workflow:

  1. CI/CD pipeline (e.g., Jenkins on Tencent Cloud CVM) calls Secrets Manager API to rotate a database password.
  2. KMS generates a new data key for encrypting the updated secret.
  3. The pipeline updates the application configuration (e.g., via Terraform) to use the new key.

By embedding key rotation into CI/CD, you enforce security best practices without manual intervention.