# HOWTO Rotate the Application's Secrets ======================== Secrets are read from the running environment. Secrets were originally created with: ```sh cf cups getgov-credentials -p credentials-.json ``` Where `credentials-.json` looks like: ```json { "DJANGO_SECRET_KEY": "EXAMPLE", "DJANGO_SECRET_LOGIN_KEY": "EXAMPLE", "AWS_ACCESS_KEY_ID": "EXAMPLE", "AWS_SECRET_ACCESS_KEY": "EXAMPLE", ... } ``` (Specific credentials are mentioned below.) You can see the current environment with `cf env `, for example `cf env getgov-stable`. The commands `cups` and `uups` stand for [`create user provided service`](https://docs.cloudfoundry.org/devguide/services/user-provided.html) and `update user provided service`. User provided services are the way currently recommended by Cloud.gov for deploying secrets. The user provided service is bound to the application in `manifest-.json`. To rotate secrets, create a new `credentials-.json` file, upload it, then restage the app. Example: ```bash cf update-user-provided-service getgov-credentials -p credentials-stable.json cf restage getgov-stable --strategy rolling ``` Non-secret environment variables can be declared in `manifest-.json` directly. ## DJANGO_SECRET_KEY This is a standard Django secret key. See Django documentation for tips on generating a new one. ## DJANGO_SECRET_LOGIN_KEY This is the base64 encoded private key used in the OpenID Connect authentication flow with Login.gov. It is used to sign a token during user login; the signature is examined by Login.gov before their API grants access to user data. Generate a new key using this command (or whatever is most recently recommended by Login.gov): ```bash openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.crt ``` Encode it using: ```bash base64 private.pem ``` You also need to upload the `public.crt` key if recently created to the login.gov identity sandbox: https://dashboard.int.identitysandbox.gov/ ## AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY To access the AWS Simple Email Service, we need credentials from the CISA AWS account for an IAM user who has limited access to only SES. Those credentials need to be specified in the environment.