From c5ea9f7b2fb20f56fb7e5877d3098d5df3d91083 Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Mon, 15 Dec 2025 12:07:41 -0500
Subject: [PATCH] sdk/rotation: Prevent rotation attempts on read-only storage
 (#10762) (#11160) (#11348)

* sdk/rotation: Prevent rotation attempts on read-only storage

Rotation is a write operation that mutates both Vault's storage
and an external resource. Attempting this on a read-only node
(like in a performance secondary cluster) will fail.

This check preempts the rotation to prevent a split-brain scenario
where the external credential is changed but Vault's storage
cannot be updated.

* changelog

* fix failing test

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
---
 changelog/_10762.txt     | 3 +++
 sdk/framework/backend.go | 5 +++++
 2 files changed, 8 insertions(+)
 create mode 100644 changelog/_10762.txt

diff --git a/changelog/_10762.txt b/changelog/_10762.txt
new file mode 100644
index 0000000000..c2bc0d3284
--- /dev/null
+++ b/changelog/_10762.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+sdk/rotation: Prevent rotation attempts on read-only storage
+```
diff --git a/sdk/framework/backend.go b/sdk/framework/backend.go
index 23d528e636..47538b6599 100644
--- a/sdk/framework/backend.go
+++ b/sdk/framework/backend.go
@@ -725,6 +725,11 @@ func (b *Backend) handleRotation(ctx context.Context, req *logical.Request) (*lo
 		return nil, logical.ErrUnsupportedOperation
 	}
 
+	// rotation is a write operation, so we short-circuit the request
+	if !b.WriteSafeReplicationState() {
+		return nil, logical.ErrReadOnly
+	}
+
 	err := b.RotateCredential(ctx, req)
 	if err != nil {
 		return nil, err