zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-06-04 11:37:21 +02:00
Code Issues Projects Releases Packages Wiki Activity
manage.get.gov/docs/operations/runbooks/rotate_application_secrets.md
Seamus Johnston 2386258159
Update and organize documentation
2022-08-31 16:02:51 -05:00

1 KiB
Raw Blame History

HOWTO Rotate the Application's Secrets

========================

Secrets are read from the running environment.

Secrets were originally created with:

cf cups getgov-credentials -p credentials-<ENVIRONMENT>.json

Where credentials-<ENVIRONMENT>.json looks like:

{
  "DJANGO_SECRET_KEY": "EXAMPLE",
  ...
}

You can see the current environment with cf env <APP>, for example cf env getgov-unstable.

The command cups stands for create user provided service. User provided services are the way currently recommended by Cloud.gov for deploying secrets. The user provided service is bound to the application in manifest-<ENVIRONMENT>.json.

To rotate secrets, create a new credentials-<ENVIRONMENT>.json file, upload it, then restage the app.

Example:

cf uups getgov-credentials -p credentials-unstable.json
cf restage getgov-unstable --strategy rolling

Non-secret environment variables can be declared in manifest-<ENVIRONMENT>.json directly.