zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-05-14 08:37:03 +02:00
Code Issues Projects Releases Packages Wiki Activity
manage.get.gov/docs/operations/runbooks/rotate_application_secrets.md
Logan McDonald edc0593859
Move to cloud.gov prototyping org with two spaces (#114) 
move to prototyping org with two spaces
2022-09-09 14:53:17 -04:00

1 KiB
Raw Blame History

HOWTO Rotate the Application's Secrets

========================

Secrets are read from the running environment.

Secrets were originally created with:

cf cups getgov-credentials -p credentials-<ENVIRONMENT>.json

Where credentials-<ENVIRONMENT>.json looks like:

{
  "DJANGO_SECRET_KEY": "EXAMPLE",
  ...
}

You can see the current environment with cf env <APP>, for example cf env getgov-unstable.

The command cups stands for create user provided service. User provided services are the way currently recommended by Cloud.gov for deploying secrets. The user provided service is bound to the application in manifest-<ENVIRONMENT>.json.

To rotate secrets, create a new credentials-<ENVIRONMENT>.json file, upload it, then restage the app.

Example:

cf cups getgov-credentials -p credentials-unstable.json
cf restage getgov-unstable --strategy rolling

Non-secret environment variables can be declared in manifest-<ENVIRONMENT>.json directly.