MrKalzu/MiniDiscovery
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
MiniDiscovery/key_rotation.md
Kalzu Rekku a9f50ff68c Some documentation and stuff
2025-05-03 18:26:12 +03:00

3.2 KiB
Raw Blame History

How to Rotate api tokens

  1. Create new token
  2. Revoke old token

Assumptions:

  • Your MiniDiscovery API is running at http://localhost:8500.
  • Your current (initial) admin token is stored in the variable OLD_ADMIN_TOKEN.
  • You want the new admin token to be named admin-v2 (or similar).

Steps:

  1. Create a New Admin Token:

    • Use your existing admin token ($OLD_ADMIN_TOKEN) in the X-API-Token header.
    • POST to the /v1/acl/token endpoint.
    • Request the admin permission for the new token.
    OLD_ADMIN_TOKEN="your_initial_secure_admin_token_here"
NEW_TOKEN_NAME="admin-v2" # Or any descriptive name

# Make the API call
response=$(curl -s -X POST "http://localhost:8500/v1/acl/token" \
  -H "accept: application/json" \
  -H "X-API-Token: ${OLD_ADMIN_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "'"${NEW_TOKEN_NAME}"'",
    "permissions": ["read", "write", "admin"]
  }')

# Extract the new token (use jq if available for robustness, otherwise basic parsing)
# Using jq:
# NEW_ADMIN_TOKEN=$(echo $response | jq -r '.token')
# Using grep/sed (less robust):
NEW_ADMIN_TOKEN=$(echo $response | grep -o '"token": "[^"]*"' | sed 's/"token": "//;s/"$//')


if [ -z "$NEW_ADMIN_TOKEN" ] || [ "$NEW_ADMIN_TOKEN" = "null" ]; then
  echo "Error creating new token. Response:"
  echo "$response"
  exit 1
else
  echo "Successfully created new admin token named '${NEW_TOKEN_NAME}'."
  echo "NEW TOKEN (SAVE THIS SECURELY!): ${NEW_ADMIN_TOKEN}"
  # !!! IMPORTANT: Securely store NEW_ADMIN_TOKEN now !!!
fi

  2. Revoke the Old Admin Token:

    • You can use either the $OLD_ADMIN_TOKEN or the $NEW_ADMIN_TOKEN you just created for authentication in the X-API-Token header (since both have admin rights at this point). It's often good practice to use the new one to verify it works.
    • Send a DELETE request to /v1/acl/token/{token_to_revoke}.
    • The {token_to_revoke} path parameter MUST be the plain text value of the token you want to remove (i.e., the value of $OLD_ADMIN_TOKEN).
    # Use the NEW token to authenticate the revocation request
curl -X DELETE "http://localhost:8500/v1/acl/token/${OLD_ADMIN_TOKEN}" \
  -H "accept: application/json" \
  -H "X-API-Token: ${NEW_ADMIN_TOKEN}"

# Check the output, it should indicate success (e.g., {"status":"revoked", ...})
# Or use the OLD token to authenticate:
# curl -X DELETE "http://localhost:8500/v1/acl/token/${OLD_ADMIN_TOKEN}" \
#  -H "accept: application/json" \
#  -H "X-API-Token: ${OLD_ADMIN_TOKEN}"

echo "Attempted to revoke the old admin token. Verify the response."

After these steps:

  • The initial admin token ($OLD_ADMIN_TOKEN) will no longer be valid.
  • The new token ($NEW_ADMIN_TOKEN) will be the active token with admin privileges.
  • You should update any scripts, configurations, or password managers that were using the old token to use the new one.

This create-then-revoke process is the standard way to handle credential rotation in systems like this.