Security
Secret Cleanup: Remove Old Environment Variables and Tokens
Secret cleanup is a rotation and consumer-discovery problem. Old environment variables and tokens often survive because nobody knows which deploy target, worker, cron job, or vendor callback still reads them.
The useful output is a secret retirement record with consumer map, rotation timeline, cutover evidence, copied-value cleanup, and final revoke date. Keep the review concrete: Rotate to a new value before deleting the old secret, then make the next action visible to the team that owns the risk. That matters because the cleanup can still go wrong when deleting a secret before every consumer rotates.
Key takeaways
- Treat each cleanup candidate as an owned system with dependencies, not anonymous clutter.
- Use one deploy cycle plus the longest scheduled-job and token-renewal interval before deciding that “quiet” means “unused.”
- Prefer reversible changes first when deleting a secret before every consumer rotates is still plausible.
- Leave behind a secret retirement record with consumer map, rotation timeline, cutover evidence, copied-value cleanup, and final revoke date so the next review starts with context.
- Measure the result as lower spend, lower risk, less operational drag, or clearer ownership.
Find Every Consumer
Start with one secret family across environment variables, secret stores, CI settings, deployment manifests, local docs, and vendor configuration. The best cleanup scope is small enough that owners can answer quickly but wide enough to include the attachments that make removal risky.
| Field | Why it matters |
|---|---|
| Owner | Cleanup needs a person or team that can accept the decision |
| Current purpose | A short reason to keep the item, written in present tense |
| Last meaningful use | last use, permission scope, owner, rotation age, and reachable systems |
| Dependency evidence | audit logs, deployment references, identity provider records, and service owners |
| Risk if wrong | The outage, data loss, access failure, or rollback gap the review must avoid |
| Next action | Keep, reduce, archive, disable, remove, or investigate |
Do not make the inventory larger than the decision. A short list with owners and evidence beats a perfect spreadsheet that nobody is willing to act on.
Secret Evidence to Collect
The useful question is not “how old is it?” It is “what would break, become harder to recover, or lose accountability if this disappeared?” For secret cleanup, collect enough evidence to answer that without relying on naming conventions.
| Check | What to look for | Cleanup signal |
|---|---|---|
| Consumer search | Repository references, deployment templates, CI variables, runtime config, and runbooks | No active system reads the old name or token |
| Last use | Provider audit logs, application auth failures, token metadata, and downstream API calls | The token has no legitimate recent use |
| Rotation state | New secret deployed, old and new accepted during cutover, and rollback owner | Consumers can move without an outage |
| Copy cleanup | Local .env examples, docs, screenshots, tickets, and old CI contexts | The old value will not be rediscovered and reused |
Use several signals together. Activity can miss monthly jobs and incident-only paths. Ownership can be stale. Cost can distract from security or recovery risk. The strongest case combines runtime data, dependency checks, owner review, and a rollback plan.
If the evidence conflicts, label the item “investigate” with a named owner and review date. That is still progress because the next review starts with a narrower question.
Example Evidence Check
Find consumers by secret name and by old variable aliases before rotating.
rg "PAYMENTS_API_TOKEN|PAYMENTS_TOKEN|payments_secret" src infra .github docs
rg "envFrom|secretKeyRef|secrets\." deploy k8s terraform
rg "PAYMENTS_API_TOKEN" runbooks support docsTreat the output as a candidate list. Do not pipe these checks into delete commands; add owner review, dependency checks, and a rollback path first.
Rotate Before Revoke
Use the least permanent move that proves the decision. In secret cleanup, removal is only one possible outcome; reducing size, narrowing permission, shortening retention, archiving, or disabling a trigger may produce the same benefit with less risk.
- Rotate to a new value before deleting the old secret.
- Move consumers one deploy target at a time while watching authentication errors.
- Remove old variable names, docs, CI settings, and vendor tokens after all consumers cut over.
Track the cleanup candidate with a simple priority score:
| Score | Good sign | Bad sign |
|---|---|---|
| Impact | Meaningful spend, risk, toil, noise, or confusion disappears | The item is cheap and low-risk but politically distracting |
| Confidence | Owner, purpose, and dependency path are understood | The team is guessing from age or name |
| Reversibility | Restore, recreate, re-enable, or rollback path exists | Deletion would be the first real test |
| Prevention | A rule can stop recurrence | The same pattern will return next month |
Start with high-impact, high-confidence, reversible candidates. Defer confusing items only if they get an owner and a date; otherwise “defer” becomes another word for keeping waste permanently.
Secrets You Should Not Rush
Some cleanup candidates are supposed to look quiet. Do not rush these cases:
- Payment, email, identity, and vendor integrations with limited audit visibility.
- Long-running workers, scheduled jobs, and old release branches that do not restart often.
- Secrets copied into local developer files, support docs, or emergency runbooks.
For these cases, use a longer observation window, explicit owner approval, and a staged reduction. The point is not to avoid cleanup; it is to avoid making the first proof of dependency an outage.
Run the Secret Cutover
Run secret cleanup as a decision review, not an open-ended hygiene project.
- Pick the narrow scope and export the candidate list.
- Add owner, current purpose, last-use evidence, dependency checks, and risk if wrong.
- Remove obvious false positives, then ask owners to choose keep, reduce, archive, disable, remove, or investigate.
- Apply the least permanent useful change first.
- Watch the signals that would reveal a bad decision.
- Complete the final removal only after the review window closes.
- Save a secret retirement record with consumer map, rotation timeline, cutover evidence, copied-value cleanup, and final revoke date.
For broader cleanup planning, use the cleanup library to pair this guide with related notes. If the cleanup has infrastructure impact, pair it with a visible owner, a rollback path, and a measurable business case. For infrastructure cleanup, the main cloud cost optimization checklist is a useful companion.
Make Secrets Expire Cleanly
Prevention should change the creation path, not just the cleanup path. For secret cleanup, the useful prevention fields are owner, expiry date, least-privilege scope, rotation schedule, and removal notes. Make those fields part of normal creation and review.
- Create secrets with owner, consumer list, rotation schedule, and expiry where possible.
- Prefer managed identity or short-lived tokens over permanent shared credentials.
- Fail builds when new environment variables are undocumented or unowned.
The recurring review should be short: sort by impact, pick the unclear items, assign owners, and close the loop on anything nobody claims. If the review keeps producing the same class of candidate, fix the creation path instead of celebrating repeated cleanup.
Example Decision Record
Use a compact record so the cleanup can be reviewed later without reconstructing the whole investigation.
| Field | Example entry for this cleanup |
|---|---|
| Candidate | Stale secrets in applications and deployment systems |
| Why it looked stale | Low recent activity, unclear owner, or no current consumer after the first review |
| Evidence checked | Consumer search, Last use, and owner confirmation |
| First reversible move | Rotate to a new value before deleting the old secret |
| Watch signal | The metric, alert, job, route, query, or owner complaint that would show the cleanup was wrong |
| Final action | Keep, reduce, archive, disable, or remove after one deploy cycle plus the longest scheduled-job and token-renewal interval |
| Prevention rule | Create secrets with owner, consumer list, rotation schedule, and expiry where possible |
This record is intentionally small. If the decision needs a long narrative, the candidate is probably not ready for removal yet. Keep investigating until the owner, evidence, reversible move, and prevention rule are clear.
FAQ
How often should teams do secret cleanup?
Use one deploy cycle plus the longest scheduled-job and token-renewal interval for the first decision, then set a recurring cadence based on change rate. Fast-moving non-production systems may need monthly review; slower systems can be quarterly if every unclear item has an owner and a review date.
What is the safest first action?
The safest first action is usually ownership repair plus evidence collection. After that, rotate to a new value before deleting the old secret. That creates a visible test before permanent deletion.
What should not be removed quickly?
Do not rush anything connected to payment, email, identity, and vendor integrations with limited audit visibility. Also slow down when the cleanup affects recovery, compliance, customer-specific behavior, rare schedules, or security response.
How do you make the decision useful later?
Write the decision as a small operational record: candidate, owner, evidence, chosen action, watch signals, rollback path, final date, and prevention rule. That format helps future engineers, search engines, and AI assistants understand the cleanup without guessing.