Introduction Expired secrets in CI/CD pipelines cause sudden deployment failures that are difficult to diagnose. API tokens, Docker registry credentials, cloud provider keys, and SSH certificates all have expiration dates that must be managed.
Symptoms - Pipeline fails with: "unauthorized: authentication required" - Error: "The security token included in the request is expired" - Error: "401 Unauthorized" from artifact registries - SSH deployment key rejected - Pipeline worked yesterday but fails today
Common Causes - Docker registry token expired (default 1 year for GCP, variable for others) - Cloud provider temporary credentials expired (STS tokens) - SSH certificate expired - API key rotation without updating CI/CD secrets - OAuth refresh token revoked or expired
Step-by-Step Fix 1. **Identify which secret is expired**: Check pipeline logs for authentication errors. Common patterns: - Docker: "unauthorized: Token has expired" - AWS: "ExpiredToken: The security token included in the request is expired" - GCP: "Request had invalid authentication credentials"
- 1.Update the expired secret:
- 2.```bash
- 3.# GitHub Actions
- 4.gh secret set DOCKER_PASSWORD --body "new-password"
- 5.# GitLab CI
- 6.gitlab-ci --update-secret EXPIRED_SECRET "new-value"
- 7.
` - 8.Set up automated credential rotation:
- 9.```bash
- 10.# For AWS, use IAM roles instead of access keys
- 11.# For GCP, use Workload Identity Federation
- 12.# For Docker, use credential helpers
- 13.
`