sdk/rotation: Prevent rotation attempts on read-only storage (#10762) (#11160) (#11348)

* sdk/rotation: Prevent rotation attempts on read-only storage Rotation is a write operation that mutates both Vault's storage and an external resource. Attempting this on a read-only node (like in a performance secondary cluster) will fail. This check preempts the rotation to prevent a split-brain scenario where the external credential is changed but Vault's storage cannot be updated. * changelog * fix failing test Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
2026-01-06 01:01:53 +01:00 · 2025-12-15 12:07:41 -05:00 · 2025-12-15 12:07:41 -05:00 · c5ea9f7b2f
commit c5ea9f7b2f
parent 8c5ae09b03
2 changed files with 8 additions and 0 deletions
--- a/changelog/_10762.txt
+++ b/changelog/_10762.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+sdk/rotation: Prevent rotation attempts on read-only storage
+```
--- a/sdk/framework/backend.go
+++ b/sdk/framework/backend.go
@ -725,6 +725,11 @@ func (b *Backend) handleRotation(ctx context.Context, req *logical.Request) (*lo
 		return nil, logical.ErrUnsupportedOperation
 	}

+	// rotation is a write operation, so we short-circuit the request
+	if !b.WriteSafeReplicationState() {
+		return nil, logical.ErrReadOnly
+	}
+
 	err := b.RotateCredential(ctx, req)
 	if err != nil {
 		return nil, err