Rotate keys

Scope

• Secrets and credentials stored in Google Cloud Secret Manager.
• Includes Nest-owned keys plus partner integration credentials.
• There is no automated rotation for internal keys today.

Preconditions

• Access to the Secret Manager project that owns the secret.
• Identify all consuming services/jobs and their deployment pipelines.
• If the key belongs to a partner, coordinate the cutover window with them.

Procedure

1. Identify the secret name and current active version.
2. Create a new secret version in Secret Manager (do not overwrite the existing version).
3. Update consumers to reference the new version (or latest if appropriate).
4. Deploy the updated services/jobs through Cloud Deploy and validate in lower environments before production.
5. Validate production traffic and integration behavior after rollout.
6. Disable the previous version once the new version is confirmed healthy.
7. Destroy old/inactive versions according to retention policy.

Validation

• Confirm health endpoints and key integration flows are green.
• Check logs for authentication errors or partner API failures.
• Verify no services are still reading the disabled version.

Rollback

1. Re-enable the previous secret version.
2. Point consumers back to the previous version.
3. Roll back the affected services via Cloud Deploy.

Notes

• Secret Manager is the source of truth for keys and credentials.
• Always disable old versions after the new version is in use, then destroy old/inactive versions to reduce exposure.