zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-05-23 21:09:22 +02:00
Code Issues Projects Releases Packages Wiki Activity
manage.get.gov/docs/operations/runbooks/rotate_application_secrets.md
Logan McDonald 508e5384cb
Create dev sandboxes scripts and first sandbox (#370) 
* Add templates, scripts, and process documentation for creating and destroying developer sandboxes

* Create developer sandbox 'lmm' infrastructure

* fix up newlines

* fix action syntax pull_request

* add a line about the public.crt to developer docs

* add docs about branch conventions

* add new developer sandbox 'ik' infrastructure

* Add new developer sandbox 'nmb' infrastructure

* Add new developer sandbox 'sspj' infrastructure

* Add new developer sandbox 'mr' infrastructure

* make github actions dynamic by environment

* trying something out with dynamic github action for dev sandbox

* consolidate github actions to dynamic action

* try out run name

* combo run name and name

* respond to comments
2023-01-20 09:50:36 -08:00

1.9 KiB
Raw Blame History

HOWTO Rotate the Application's Secrets

========================

Secrets are read from the running environment.

Secrets were originally created with:

cf cups getgov-credentials -p credentials-<ENVIRONMENT>.json

Where credentials-<ENVIRONMENT>.json looks like:

{
  "DJANGO_SECRET_KEY": "EXAMPLE",
  "DJANGO_SECRET_LOGIN_KEY": "EXAMPLE",
  ...
}

(Specific credentials are mentioned below.)

You can see the current environment with cf env <APP>, for example cf env getgov-stable.

The commands cups and uups stand for create user provided service and update user provided service. User provided services are the way currently recommended by Cloud.gov for deploying secrets. The user provided service is bound to the application in manifest-<ENVIRONMENT>.json.

To rotate secrets, create a new credentials-<ENVIRONMENT>.json file, upload it, then restage the app.

Example:

cf update-user-provided-service getgov-credentials -p credentials-stable.json
cf restage getgov-stable --strategy rolling

Non-secret environment variables can be declared in manifest-<ENVIRONMENT>.json directly.

DJANGO_SECRET_KEY

This is a standard Django secret key. See Django documentation for tips on generating a new one.

DJANGO_SECRET_LOGIN_KEY

This is the base64 encoded private key used in the OpenID Connect authentication flow with Login.gov. It is used to sign a token during user login; the signature is examined by Login.gov before their API grants access to user data.

Generate a new key using this command (or whatever is most recently recommended by Login.gov):

openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.crt

Encode it using:

base64 private.pem

You also need to upload the public.crt key if recently created to the login.gov identity sandbox: https://dashboard.int.identitysandbox.gov/