Skip to content
/ secrets-rotation-service Public

A secure, API-driven microservice for managing and rotating secrets in AWS using FastAPI, Terraform, and AWS Secrets Manager. This project was built to demonstrate best practices in cloud security, data privacy, and DevSecOps automation.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

dineshuday/secrets-rotation-service

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

3 Commits
infra
infra
Β 
Β 
src
src
Β 
Β 
README.md
README.md
Β 
Β 
architecture.png
architecture.png
Β 
Β 
requirements.txt
requirements.txt
Β 
Β 

Repository files navigation

Secrets Rotation Service

A secure, API-driven microservice for storing, retrieving, and rotating secrets in AWS Secrets Manager, built with FastAPI, Terraform, and AWS infrastructure.
Designed for internal teams to easily integrate secret management without directly handling credentials, improving security posture and reducing human error.

πŸš€ Features

  • Secure API Endpoints for retrieving and rotating secrets
  • AWS Secrets Manager Integration for encrypted storage
  • Automated Rotation via AWS EventBridge
  • Infrastructure-as-Code with Terraform
  • JWT Authentication for API requests
  • Least Privilege IAM Policies
  • CloudWatch Logging for audit and compliance

πŸ— Architecture

Architecture Diagram

Flow:

  1. Client authenticates via JWT and calls /get-secret/{name} or /rotate-secret/{name}.
  2. API Gateway routes the request to a Lambda function (FastAPI app).
  3. Lambda uses IAM Role with least privilege to access AWS Secrets Manager.
  4. Secrets are retrieved or rotated, then returned securely to the client.
  5. EventBridge triggers periodic secret rotation to enforce key hygiene.

πŸ“‚ Project Structure

secrets-rotation-service/
│── src/
β”‚   β”œβ”€β”€ main.py           # FastAPI app entry point
β”‚   β”œβ”€β”€ secrets.py        # AWS Secrets Manager functions
β”‚   β”œβ”€β”€ auth.py           # JWT authentication
│── infra/
β”‚   β”œβ”€β”€ main.tf           # AWS provider, Lambda, Secrets Manager
β”‚   β”œβ”€β”€ iam.tf            # IAM roles & policies
β”‚   β”œβ”€β”€ variables.tf      # Config variables
│── requirements.txt      # Python dependencies
│── README.md
│── docs/
β”‚   β”œβ”€β”€ architecture.png  # Architecture diagram


βΈ»

βš™ Deployment

1️⃣ Provision AWS Resources

cd infra
terraform init
terraform apply

2️⃣ Deploy FastAPI to Lambda

Use AWS SAM, Zappa, or Docker-based Lambda packaging.

Example (Zappa):

pip install zappa
zappa init
zappa deploy dev


βΈ»

πŸ” Security Considerations
	β€’	No Secrets in Code: All secrets are stored in AWS Secrets Manager.
	β€’	Least Privilege: IAM roles only allow access to specific secrets.
	β€’	Encryption at Rest & In Transit: AWS KMS + HTTPS.
	β€’	JWT Auth: Ensures only authorized clients can call the API.
	β€’	Logging & Monitoring: CloudWatch for request tracing and auditing.
	β€’	Regular Rotation: Automated via EventBridge.

βΈ»

πŸ§ͺ Example API Usage

Get Secret

curl -H "Authorization: Bearer <jwt_token>" \
     https://<api_gateway_url>/get-secret/api_key

Response:

{
  "secret": "some-secret-value"
}

Rotate Secret

curl -X POST -H "Authorization: Bearer <jwt_token>" \
     https://<api_gateway_url>/rotate-secret/api_key

Response:

{
  "status": "rotated",
  "new_secret": "new-random-value"
}


βΈ»

πŸ“œ License

MIT License

---

About

A secure, API-driven microservice for managing and rotating secrets in AWS using FastAPI, Terraform, and AWS Secrets Manager. This project was built to demonstrate best practices in cloud security, data privacy, and DevSecOps automation.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages