-
Notifications
You must be signed in to change notification settings - Fork 4
Rotating secrets
David McDonald edited this page Feb 28, 2020
·
10 revisions
For our applications to talk our API they must use one of the API keys found in API_INTERNAL_SECRETS in credentials/<env>/paas/environment_variables. If you want to rotate these keys then you should:
- Add the new secret to
API_INTERNAL_SECRETSincredentials/<env>/paas/environment_variables - Deploy the API so it now allows apps to auth with the new secret
- Change
ADMIN_CLIENT_SECRETincredentials/<env>/paas/environment_variablesandcredentials/<env>/document-download/paas-environmentto be the new secret - Deploy document-download-frontend and the admin app
- Remove the old secret from
API_INTERNAL_SECRETSincredentials/<env>/paas/environment_variables - Deploy the API to preview and then run functional tests for all the other apps (antivirus, document download etc) to check they can still talk to the API. If so, you can then continue to deploy the API to production
For our applications to talk to the document download API they must use one of the API keys found in AUTH_TOKENS in `credentials//document-download/paas-environment. If you want to rotate these keys then you should:
- Add the new secret to
AUTH_TOKENSincredentials/<env>/document-download/paas-environmentusing a:separated list, for examplesecret1:secret2 - Deploy the document download API so it now allows apps to auth with the new secret
- Change
DOCUMENT_DOWNLOAD_API_KEYincredentials/<env>/paas/environment_variablesto be the new secret - Deploy the API
- Remove the old secret from
AUTH_TOKENSincredentials/<env>/document-download/paas-environment - Deploy the document download API to preview and then run functional tests for all the other apps (admin, api, document download, antivirus) to check they can still talk to the document download API. If so, you can then continue to deploy the API to production