Rotating a Secret for a User

Overview

You can update the information of a user in a secret.

This is the most commonly used secret rotation policy.

Example:

• For database access, a database connection is not deleted during secret rotation. After the rotation, new connections use the new secrets.
• A user can create an account, for example, using an email address as the username. Generally, users can change passwords as needed, but cannot create other users or change usernames.
• Temporary users are created at the moment they are needed.
• Passwords are entered by users, not retrieved from CSMS by applications. These users do not need to change their usernames or passwords.

Constraints

Ensure your account has the KMS Administrator or KMS CMKFullAccess permission. For details, see DEW Permissions Management.

Secret Rotation APIs

You can call the following APIs to rotate secrets locally.

Example of Rotating the Secret of an Account

1. Create a secret on the HUAWEI CLOUD console. For details, see Creating a Secret.
2. Prepare basic authentication information.
   • ACCESS_KEY: access key of the Huawei ID
   • SECRET_ACCESS_KEY: secret access key of the Huawei ID
   • PROJECT_ID: project ID of a HUAWEI CLOUD site. For details, see Project.
   • CSMS_ENDPOINT: endpoint for accessing CSMS. For details, see Endpoints.
   • There will be security risks if the AK/SK used for authentication is directly written into code. Encrypt the AK/SK in the configuration file or environment variables for storage.
   • In this example, the AK/SK stored in the environment variables are used for identity authentication. Configure the environment variables HUAWEICLOUD_SDK_AK and HUAWEICLOUD_SDK_SK in the local environment first.
3. Rotation the secret of a user.

   In the example code,

   • secretName indicates the name of the secret created on the Huawei Cloud console.
   • secretString indicates the value saved in the secret created on the Huawei Cloud console.
   • versionId indicates the secret ID automatically generated after a secret is created on the Huawei Cloud console.
   • LATEST_VERSION indicates the secret version.

     import com.huaweicloud.sdk.core.auth.BasicCredentials;
     import com.huaweicloud.sdk.csms.v1.CsmsClient;
     import com.huaweicloud.sdk.csms.v1.model.CreateSecretVersionRequest;
     import com.huaweicloud.sdk.csms.v1.model.CreateSecretVersionRequestBody;
     import com.huaweicloud.sdk.csms.v1.model.CreateSecretVersionResponse;
     import com.huaweicloud.sdk.csms.v1.model.ShowSecretVersionRequest;
     import com.huaweicloud.sdk.csms.v1.model.ShowSecretVersionResponse;
     
     public class CsmsSingleAccountExample {
         /**
          * Basic authentication information:
          * - ACCESS_KEY: access key of the Huawei ID
          * - SECRET_ACCESS_KEY: secret access key of the Huawei ID
          * - PROJECT_ID: Huawei Cloud project ID. For details, see https://support.huaweicloud.com/intl/en-us/productdesc-iam/iam_01_0023.html
     * - CSMS_ENDPOINT: endpoint address for accessing CSMS. For details, see https://support.huaweicloud.com/intl/en-us/api-dew/dew_02_0052.html.
          * - There will be security risks if the AK/SK used for authentication is directly written into code. Encrypt the AK/SK in the configuration file or environment variables for storage.
          * - In this example, the AK/SK stored in the environment variables are used for identity authentication. Configure the environment variables HUAWEICLOUD_SDK_AK and HUAWEICLOUD_SDK_SK in the local environment first.
          */    
         private static final String ACCESS_KEY = System.getenv("HUAWEICLOUD_SDK_AK");
         private static final String SECRET_ACCESS_KEY = System.getenv("HUAWEICLOUD_SDK_SK");
         private static final String PROJECT_ID = "<ProjectID>";
         private static final String CSMS_ENDPOINT = "<CsmsEndpoint>";
         //Version ID used to query the latest secret version details.
         private static final String LATEST_VERSION = "latest";
         public static void main(String[] args) {
             String secretName = args[0];
             String secretString = args[1];
             singleAccountRotation(secretName, secretString);
         }
     
         /**
          * Example: secret rotation for a single account
          *
          * @param secretName   Secret name
          * @param secretString Secret content
          */
         private static void singleAccountRotation(String secretName, String secretString) {
             //Host the new secret in CSMS.
             createNewSecretVersion(secretName, secretString);
             //Query the secret of the latest version based on the secret version latest.
             ShowSecretVersionResponse secretResponseByLatest = showSecretVersionDetail(secretName, LATEST_VERSION);
             assert secretResponseByLatest.getVersion().getSecretString().equals(secretString);
         }
     
         /**
          * Example of creating a secret
          * If a secret version is added without version status, the program points the SYSCURRENT version status to the version by default.
          *
          * @param secretName   Secret name
          * @param secretString Secret content
          * @return
          */
         private static CreateSecretVersionResponse createNewSecretVersion(String secretName, String secretString) {
             CsmsClient csmsClient = getCsmsClient();
     
             CreateSecretVersionRequest createSecretVersionRequest = new CreateSecretVersionRequest()
                     .withSecretName(secretName)
                     .withBody(new CreateSecretVersionRequestBody().withSecretString(secretString));
     
             CreateSecretVersionResponse secretVersion = csmsClient.createSecretVersion(createSecretVersionRequest);
     
             System.out.printf("Created new version success, version id:%s", secretVersion.getVersionMetadata().getId());
             return secretVersion;
         }
         /**
          * Query the secret of a specified version.
          *
          * @param secretName Secret_name
          * @param versionId  Secret_version_ID
          * @return
          */
         private static ShowSecretVersionResponse showSecretVersionDetail(String secretName, String versionId) {
             ShowSecretVersionRequest showSecretVersionRequest = new ShowSecretVersionRequest().withSecretName(secretName)
                     .withVersionId(versionId);
             CsmsClient csmsClient = getCsmsClient();
             ShowSecretVersionResponse secretDetail = csmsClient.showSecretVersion(showSecretVersionRequest);
             System.out.printf("Query latest version success. version id:%s",
     secretDetail.getVersion().getVersionMetadata().getId());
             return secretDetail;
         }
         /**
          * Obtain the CSMS client.
          *
          * @return
          */
         private static CsmsClient getCsmsClient() {
             BasicCredentials auth = new BasicCredentials()
                     .withAk(ACCESS_KEY)
                     .withSk(SECRET_ACCESS_KEY)
                     .withProjectId(PROJECT_ID);
             return CsmsClient.newBuilder().withCredential(auth).withEndpoint(CSMS_ENDPOINT).build();
         }
     }