By centralising the secrets storage, you make it easier to change the secrets in one place rather than having to change a bunch of variables everywhere.
As for how you change the secrets? You should have some automated way of pulling the current secret out of the vault, storing a future secret in the vault, performing an upgrade of the secrets, verifying the new secrets are deployed everywhere, and then moving the "future secret" into "current secret" and keeping a historical copy of the "previous secret".
Whatever configures your infrastructure automatically will already need to have root access to everything and so that's a good place to implement the rotation.
As for how you change the secrets? You should have some automated way of pulling the current secret out of the vault, storing a future secret in the vault, performing an upgrade of the secrets, verifying the new secrets are deployed everywhere, and then moving the "future secret" into "current secret" and keeping a historical copy of the "previous secret".
Whatever configures your infrastructure automatically will already need to have root access to everything and so that's a good place to implement the rotation.