78 lines
3.2 KiB
Markdown
78 lines
3.2 KiB
Markdown
# How to Rotate api tokens
|
|
|
|
1. Create new token
|
|
2. Revoke old token
|
|
|
|
**Assumptions:**
|
|
|
|
* Your MiniDiscovery API is running at `http://localhost:8500`.
|
|
* Your *current* (initial) admin token is stored in the variable `OLD_ADMIN_TOKEN`.
|
|
* You want the *new* admin token to be named `admin-v2` (or similar).
|
|
|
|
**Steps:**
|
|
|
|
1. **Create a New Admin Token:**
|
|
* Use your *existing* admin token (`$OLD_ADMIN_TOKEN`) in the `X-API-Token` header.
|
|
* POST to the `/v1/acl/token` endpoint.
|
|
* Request the `admin` permission for the new token.
|
|
|
|
```bash
|
|
OLD_ADMIN_TOKEN="your_initial_secure_admin_token_here"
|
|
NEW_TOKEN_NAME="admin-v2" # Or any descriptive name
|
|
|
|
# Make the API call
|
|
response=$(curl -s -X POST "http://localhost:8500/v1/acl/token" \
|
|
-H "accept: application/json" \
|
|
-H "X-API-Token: ${OLD_ADMIN_TOKEN}" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{
|
|
"name": "'"${NEW_TOKEN_NAME}"'",
|
|
"permissions": ["read", "write", "admin"]
|
|
}')
|
|
|
|
# Extract the new token (use jq if available for robustness, otherwise basic parsing)
|
|
# Using jq:
|
|
# NEW_ADMIN_TOKEN=$(echo $response | jq -r '.token')
|
|
# Using grep/sed (less robust):
|
|
NEW_ADMIN_TOKEN=$(echo $response | grep -o '"token": "[^"]*"' | sed 's/"token": "//;s/"$//')
|
|
|
|
|
|
if [ -z "$NEW_ADMIN_TOKEN" ] || [ "$NEW_ADMIN_TOKEN" = "null" ]; then
|
|
echo "Error creating new token. Response:"
|
|
echo "$response"
|
|
exit 1
|
|
else
|
|
echo "Successfully created new admin token named '${NEW_TOKEN_NAME}'."
|
|
echo "NEW TOKEN (SAVE THIS SECURELY!): ${NEW_ADMIN_TOKEN}"
|
|
# !!! IMPORTANT: Securely store NEW_ADMIN_TOKEN now !!!
|
|
fi
|
|
```
|
|
|
|
2. **Revoke the Old Admin Token:**
|
|
* You can use *either* the `$OLD_ADMIN_TOKEN` or the `$NEW_ADMIN_TOKEN` you just created for authentication in the `X-API-Token` header (since both have `admin` rights at this point). It's often good practice to use the new one to verify it works.
|
|
* Send a DELETE request to `/v1/acl/token/{token_to_revoke}`.
|
|
* The `{token_to_revoke}` path parameter MUST be the **plain text** value of the token you want to remove (i.e., the value of `$OLD_ADMIN_TOKEN`).
|
|
|
|
```bash
|
|
# Use the NEW token to authenticate the revocation request
|
|
curl -X DELETE "http://localhost:8500/v1/acl/token/${OLD_ADMIN_TOKEN}" \
|
|
-H "accept: application/json" \
|
|
-H "X-API-Token: ${NEW_ADMIN_TOKEN}"
|
|
|
|
# Check the output, it should indicate success (e.g., {"status":"revoked", ...})
|
|
# Or use the OLD token to authenticate:
|
|
# curl -X DELETE "http://localhost:8500/v1/acl/token/${OLD_ADMIN_TOKEN}" \
|
|
# -H "accept: application/json" \
|
|
# -H "X-API-Token: ${OLD_ADMIN_TOKEN}"
|
|
|
|
echo "Attempted to revoke the old admin token. Verify the response."
|
|
```
|
|
|
|
**After these steps:**
|
|
|
|
* The initial admin token (`$OLD_ADMIN_TOKEN`) will no longer be valid.
|
|
* The new token (`$NEW_ADMIN_TOKEN`) will be the active token with admin privileges.
|
|
* You should update any scripts, configurations, or password managers that were using the old token to use the new one.
|
|
|
|
This create-then-revoke process is the standard way to handle credential rotation in systems like this.
|