Back to docs
Recipe

Secret management lifecycle writer

A step-by-step recipe for building a secure secret rotation writer that integrates with Meridian's lifecycle engine.

Overview

This recipe walks through creating a lifecycle writer that manages secret rotation across staging and production environments. You will learn how to define rotation policies, handle rollback on failure, and emit audit events.

Prerequisites

  • Meridian CLI v2.4+ installed and authenticated
  • At least one environment registered in your workspace
  • A secret store backend (Vault, AWS Secrets Manager, or Doppler)

Step 1 — Scaffold the writer

meridian init writer --type secret-rotation --name my-rotator

This generates a TypeScript project with the lifecycle writer interface stubbed out.

Step 2 — Define rotation policy

Open the generated policy.ts file and configure the rotation interval, maximum secret age, and the target environments. Meridian enforces these constraints before invoking your writer.

Step 3 — Implement the rotate hook

The rotate() method receives the current secret metadata. Generate a new value, push it to your secret store, and return the updated metadata. If the store write fails, throw a RotationError to trigger automatic rollback.

Step 4 — Deploy and verify

Run meridian deploy to register the writer. Use the dashboard to trigger a manual rotation and confirm audit logs appear in real time.

Next steps

Explore the Lifecycle Engine reference for advanced hooks and error recovery patterns.