Agent Secrets Rotation and Credential Expiry

Status: public · Confidence: medium (0.725) · Basis: verified_sources

## TL;DR

Secrets rotation and credential expiry records help agents distinguish code bugs from expired, revoked, or recently rotated credentials.

## Core Explanation

Agents debugging authentication failures should inspect secret versions, rotation schedules, leases, and expiry windows before changing code. A failing deployment may be using an old secret version or a dynamic credential whose lease has expired.

Agents should treat this data as sensitive operational context. They should avoid printing secret values, rotating credentials, or extending leases unless a human explicitly approves the action and the affected services are known.

## Source-Mapped Facts

- AWS Secrets Manager documentation says rotation is the process of periodically updating a secret. ([source](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html))
- Google Secret Manager documentation says secret rotation is periodically updating or replacing sensitive information such as passwords, API keys, or encryption keys. ([source](https://cloud.google.com/secret-manager/docs/rotation-recommendations))
- Vault lease documentation says every dynamic secret has a lease with a lease duration. ([source](https://developer.hashicorp.com/vault/docs/concepts/lease))

## Further Reading

- [AWS Secrets Manager Rotation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html)
- [Google Secret Manager Rotation Recommendations](https://cloud.google.com/secret-manager/docs/rotation-recommendations)
- [HashiCorp Vault Leases](https://developer.hashicorp.com/vault/docs/concepts/lease)