Systems status: [ OK ]
  • [ OK ]proxy
  • [ OK ]mailserver
  • [ OK ]sunrise
  • [ OK ]
1 min read

Secrets rotation with HashiCorp Vault + GHA

With the help of HashiCorp Vault and GitHub Actions, you can automate the secrets rotating process and save yourself time

Secrets rotation with HashiCorp Vault + GHA

Rotating secrets is one of those things everybody agrees on but few actually implement well. Manually rotating API keys or DB passwords is error-prone, and leaving them static for months is a security risk. The good news: with HashiCorp Vault and GitHub Actions, you can automate this process in a way that’s both secure and repeatable.

Vault excels at managing secrets. Instead of hardcoding API tokens in GitHub or config files, you store them in Vault. Depending on your setup, Vault can either:

  • Issue dynamic secrets (e.g. short-lived DB users, AWS creds).
  • Rotate static secrets via custom scripts or plugins.

Either way, Vault remains the single source of truth.

You can use GitHub Actions to trigger rotation on a schedule or before deployments. For example, a nightly rotation job might look like this:

name: Rotate Secrets

on:
  schedule:
    - cron: '0 0 * * *'   # every midnight UTC

jobs:
  rotate-secrets:
    runs-on: ubuntu-latest
    steps:
      - name: Rotate DB credentials
        uses: hashicorp/vault-action@v2
        with:
          url: ${{ secrets.VAULT_ADDR }}
          method: approle
          roleId: ${{ secrets.VAULT_ROLE_ID }}
          secretId: ${{ secrets.VAULT_SECRET_ID }}
          exportEnv: true
      - run: |
          vault write -force database/roles/app-role
          echo "✅ Database credentials rotated"

This forces Vault to rotate a dynamic DB role, generating new user/password creds.

Lessons learned

  • Use AppRole or GitHub OIDC integration to authenticate your runner against Vault.
  • If your app pulls secrets from GitHub Actions secrets, you’ll need to update them after rotation (via GitHub API). Better yet, fetch directly from Vault at runtime.
  • If your job rotates secrets at midnight but your app still uses cached creds, you’ll get failures. Either coordinate deploys with rotation, or set grace periods in Vault.
  • Vault logs every rotation — great for compliance and forensics.

Takeaway

Secrets should be treated as short-lived, disposable credentials. By combining Vault’s rotation features with GitHub Actions automation, you move from “rotate once a quarter” to “rotate every night without thinking about it.” The operational cost is low, but the security gain is massive.