Secrets Rotation and Security
Secret expiry, rotation strategies, and vault solutions (AWS Secrets Manager).
Why Secrets Need to Be Rotated
Even if a secret is never explicitly exposed, rotating it regularly limits the damage of an undetected breach. A key that was silently stolen 6 months ago becomes useless after rotation.
Many security standards (SOC 2, PCI-DSS) require periodic secret rotation. Building rotation-friendly agent code is a professional practice.
API Key Expiry Policies
Different providers have different expiry policies. Some allow you to set expiry dates on keys; others issue keys that never expire unless manually rotated. Audit your keys regularly and set calendar reminders for manual rotation.
# Key rotation schedule by provider (as of mid-2025):
# OpenAI: no automatic expiry, rotate manually every 90 days
# Anthropic: no automatic expiry, rotate manually every 90 days
# Google Cloud: API keys can have expiry dates set in the console
# AWS: IAM access keys: rotate every 90 days (AWS Security Hub recommends)
# Tavily: no automatic expiry, rotate when suspected compromise
# Best practices:
# - Set a recurring calendar event: 'Rotate API keys'
# - Document when each key was last rotated
# - Store rotation date in a secrets manager, not a spreadsheet
print('Schedule key rotation every 60-90 days as a standing task')All lessons in this course
- Environment Variables for Agents
- .env Files and python-dotenv
- Secrets Rotation and Security
- Configuration Profiles for Dev and Prod