-
Notifications
You must be signed in to change notification settings - Fork 4
Rotating secrets
Ben Corlett edited this page Apr 19, 2024
·
10 revisions
- API key for our apps to talk to our API
- API key for our apps to talk to document download API
- API key for our apps to talk to template preview
For our applications to talk our API they must use one of the API keys found in internal_client_api_keys
in credentials/<env>/ssm/
. If you want to rotate these keys then you should:
- Add the new secret to
credentials/<env>/ssm/internal_client_api_keys
- Deploy the API so it now allows apps to auth with the new secret
- Change e.g.
credentials/staging/ssm/admin_client_secret
to be the new secret - Deploy the affected apps e.g. document-download-frontend and the admin app
- Remove the old secret from
credentials/<env>/ssm/internal_client_api_keys
- Deploy the API to preview and then run functional tests for all the other apps (antivirus, document download etc) to check they can still talk to the API. If so, you can then continue to deploy the API to production
For our applications to talk to the document download API they must use one of the API keys found in auth_tokens
in credentials/<env>/ssm/
. If you want to rotate these keys then you should:
- Add the new secret to
credentials/<env>/ssm/auth_tokens
using a:
separated list, for examplesecret1:secret2
- Deploy the document download API so it now allows apps to auth with the new secret
- Change
credentials/<env>/ssm/document_download_api_key
andDOCUMENT_DOWNLOAD_API_KEY
incredentials/functional-tests/<env>-functional
to be the new secret - Deploy the API
- Remove the old secret from
credentials/<env>/ssm/auth_tokens
- Deploy the document download API to preview and then run functional tests for all the other apps (admin, api, document download, antivirus) to check they can still talk to the document download API. If so, you can then continue to deploy the document download API to production
For our applications to talk to the template preview they must use one of the API keys found in template_preview_internal_secrets
in credentials/<env>/ssm
. If you want to rotate these keys then you should:
- Add the new secret to
credentials/<env>/ssm/template_preview_internal_secrets
- Deploy template preview so it now allows apps to auth with the new secret
- Change
template_preview_api_key
incredentials/<env>/ssm
- Deploy the API and the admin apps
- Remove the old secret from
credentials/<env>/ssm/template_preview_internal_secrets
- Deploy template preview to preview and then run functional tests for the admin app and api to check they can still talk to template preview. If so, you can then continue to deploy template preview to production