Skip to content

Rotating Public API Key Using Task

Jump to bottom
tmpayton edited this page Nov 7, 2024 · 5 revisions

This wiki will show you how to use the update_public_api_key task to rotate public API keys.

Login to cloud.gov:

cf login -a api.fr.cloud.gov  --sso

Target dev space:

Other spaces may cause permissions issues.

cf target -s dev

Generate an oauth token and save it in a file:

cf oauth-token > token.txt

NOTE: This token will work for about four minutes before requiring another one. Also make sure the file is in the same directory that you are running the next command.

Run the task for prod (see below for other environments/settings):

cf run-task api --command "python cli.py update_public_api_key prod fec-creds-prod '$(< token.txt)'" --name update_public_api_key

Next Steps

After the task runs successfully you should do the following tasks:

  1. Re-stage cms using Circleci
  2. Deactivate the old key in API Umbrella once re-stage is complete
  3. Update the fec-accounts wiki: https://github.com/fecgov/fec-accounts/wiki/API-public-and-private-key-information.
  4. Deactivate any throttled public keys that are over three months old

Task arguments:

The task requires that you pass in the space , service instance, and your bearer token.

  • space: [Required] the space that you want to update
  • service_instance: [Required] the user provided service you want to update
  • token: [Required] your cf oath token generated above

You can also optionally pass in first_rate_limit, first_rate_limit_duration, second_rate_limit, and second_rate_limit_duration if you would like to use a different rate limit than the default.

  • first_rate_limit: [Optional] the limit of the first rate limit on the new key
  • first_rate_limit_duration [Optional] the duration of the first rate limit on the new key
  • second_rate_limit [Optional] the limit of the second rate limit on the new key
  • second_rate_limit_duration [Optional] the duration of the second rate limit on the new key

Full command:

cf run-task api --command "python cli.py update_public_api_key <space> <service_instance> '$(< token.txt)'  <first_rate_limit> <first_rate_limit_duration> <second_rate_limit> <second_rate_limit_duration>" --name update_public_api_key

Dev example:

cf run-task api --command "python cli.py update_public_api_key dev fec-creds-dev '$(< token.txt)'" --name update_public_api_key

Stage example:

cf run-task api --command "python cli.py update_public_api_key stage fec-creds-stage '$(< token.txt)'" --name update_public_api_key
Clone this wiki locally