← Back to all products
$19
Secret Rotator
Manage secret rotation for API keys, passwords, and tokens with configurable policies.
JSONMarkdownPython
📄 Product Preview
Try the interactive reader and demo tools below, or get the full product with all content unlocked.
📖 Interactive Reader (Free Preview) ⚙ Try Demo Tools 📦 Download Free Sample📁 File Structure 10 files
secret-rotator/
├── LICENSE
├── README.md
├── examples/
│ └── rotation_config.json
├── free-sample.zip
├── guide/
│ ├── 01_features.md
│ ├── 02_quick-start.md
│ ├── 03_configuration-reference.md
│ └── 04_license.md
├── index.html
└── src/
└── secret_rotator.py
📖 Documentation Preview README excerpt
Secret Rotator
Manage secret rotation for API keys, passwords, and tokens with configurable policies, provider hooks, and automatic rollback on failure. Never let credentials go stale.
Features
- Automated rotation — rotate secrets based on configurable max-age policies (default: 90 days)
- Provider hooks — built-in support for Stripe, generic API keys, and password generation
- Rollback on failure — automatic backup and restore if rotation fails
- Age checking — scan all secrets and flag stale credentials with
--check-age - Secure backups — HMAC-verified backup before every rotation
- Cryptographic generation — secrets generated via Python's
secretsmodule (CSPRNG) - JSON config-driven — define all secrets and policies in a single config file
- Audit trail — rotation events logged for compliance and debugging
Requirements
- Python 3.10+
- No external dependencies (stdlib only)
Quick Start
# Rotate all secrets that exceed their max age
python src/secret_rotator.py --config secrets.json --rotate
# Check which secrets are stale
python src/secret_rotator.py --config secrets.json --check-age
# Roll back a specific secret to its previous value
python src/secret_rotator.py --config secrets.json --rollback api-key-prod
Output
Console output shows rotation status per secret (rotated, skipped, failed, rolled back). The config file is updated in place with new values and timestamps.
Configuration Reference
Define your secrets in JSON (see examples/rotation_config.json):
{
"secrets": [
{
"name": "STRIPE_API_KEY",
"provider": "stripe",
"max_age_days": 90,
"current_value": "sk-EXAMPLE...",
"last_rotated": "2026-01-15T00:00:00Z"
},
{
"name": "DB_PASSWORD",
"provider": "password",
"max_age_days": 60,
"length": 32,
"charset": "alphanumeric_special"
}
]
}
*... continues with setup instructions, usage examples, and more.*
📄 Code Sample .py preview
src/secret_rotator.py
#!/usr/bin/env python3
"""
Secret Rotator — Security Kit (DataNest)
Manages secret rotation for API keys, passwords, and tokens. Supports
provider hooks for automated rotation and rollback on failure.
Usage:
python secret_rotator.py --config secrets.json --rotate
python secret_rotator.py --config secrets.json --check-age
python secret_rotator.py --config secrets.json --rollback api-key-prod
Dependencies: Python 3.10+ stdlib only (no pip packages)
License: MIT
"""
from __future__ import annotations
import argparse
import hashlib
import hmac
import json
import logging
import os
import secrets
import shutil
import sys
from dataclasses import dataclass, field, asdict
from datetime import datetime, timezone, timedelta
from pathlib import Path
from typing import Any, Callable
# ---------------------------------------------------------------------------
# Constants
# ---------------------------------------------------------------------------
logger = logging.getLogger("secret_rotator")
# Default rotation policy: rotate secrets older than this many days
DEFAULT_MAX_AGE_DAYS = 90
# Minimum password lengths by tier
MIN_PASSWORD_LENGTH = {"low": 12, "medium": 16, "high": 24, "critical": 32}
# ---------------------------------------------------------------------------
# Data models
# ---------------------------------------------------------------------------
@dataclass
class SecretEntry:
# ... 424 more lines ...