Secret lifetimes

[domenkozar]

Ideally, secrets live for a certain amount of time, then it's time to request a new secret.

There are two aspects where this becomes tricky:

• keep the state of how long the secret is still valid for
• provide an api when to reload the app after a new secret is fetched

The API would look something like:

let secrets = SecretSpec::builder().load()?;

for secret in secrets.next() {
   ...
}

for mysecret in secrets.mysecret.next() {
   ...
}

[aggaksha]

It depends on how secrets are being loaded when needed. If the env file captures a secret reference/ name (such as Secret ARN from AWS Secrets Manager), the env file is evaluated to the run time, and secret value are fetched at that time, you will have the latest value of secret. Of course, once evaluated to secret value, it can not be updated without re-starting the application.
With secret rotation being an async process on AWS Secrets Manager, we have solved this problem through our open source clients such as Secrets Manager Agent and CSI Driver. Happy to engage with the team and help solve this industry-wide challenge.

[domenkozar]

This will come after #9