Help Center>
Data Encryption Workshop>
Best Practices>
Secret Management>
Rotating Secrets>
Rotating a Secret for Two Users
Updated on 2023-11-15 GMT+08:00
Rotating a Secret for Two Users
Overview
You can update the information of two users in a secret.
For example, if your application requires high availability and you perform single-user rotation, you may fail to access the application when changing the user password and updating the secret content. In this case, you need to use the multi-user secret rotation policy.
You must have an account, for example, Admin, that has the permission to create and change the passwords of user1 and user2. First, create a secret, create and save the account and password of user1, and record them as user1/password1. Then, create user2 by adding secret version v2, and save the password of user2 as user2/password2. If you change the password of user1, you need to add secret version v3 and record it as user1/password3. When the secret version v3 is being created, the application uses the existing secret version v2 to obtain information. Once v3 is ready, the temporary storage tag will be changed, and the application can use v3 to obtain information.
Constraints
Ensure your account has the KMS Administrator or KMS CMKFullAccess permission. For details, see DEW Permissions Management.
Secret Rotation APIs
You can call the following APIs to rotate secrets locally.
API |
Description |
|---|---|
Create a secret version. |
|
Query the information about a specified secret version and the plaintext secret value in the version. |
|
Update the version status of a secret. |
|
Query the status of a specified secret version. |
Example of Rotating the Secret of Two Accounts
- Create a secret on the HUAWEI CLOUD console as the administrator. For details, see Creating a Secret.
- Prepare basic authentication information.
- ACCESS_KEY: access key of the Huawei ID
- SECRET_ACCESS_KEY: secret access key of the Huawei ID
- PROJECT_ID: project ID of a HUAWEI CLOUD site. For details, see Project.
- CSMS_ENDPOINT: endpoint for accessing CSMS. For details, see Endpoints.
- There will be security risks if the AK/SK used for authentication is directly written into code. Encrypt the AK/SK in the configuration file or environment variables for storage.
- In this example, the AK/SK stored in the environment variables are used for identity authentication. Configure the environment variables HUAWEICLOUD_SDK_AK and HUAWEICLOUD_SDK_SK in the local environment first.
- Rotate the secret for two users.
- secretName indicates the name of the secret created on the Huawei Cloud console.
- secretString indicates the value saved in the secret created on the Huawei Cloud console.
- versionId indicates the secret ID automatically generated after a secret is created on the Huawei Cloud console.
- LATEST_VERSION indicates the secret version.
import com.huaweicloud.sdk.core.auth.BasicCredentials; import com.huaweicloud.sdk.csms.v1.CsmsClient; import com.huaweicloud.sdk.csms.v1.model.CreateSecretVersionRequest; import com.huaweicloud.sdk.csms.v1.model.CreateSecretVersionRequestBody; import com.huaweicloud.sdk.csms.v1.model.CreateSecretVersionResponse; import com.huaweicloud.sdk.csms.v1.model.ListSecretStageRequest; import com.huaweicloud.sdk.csms.v1.model.ListSecretStageResponse; import com.huaweicloud.sdk.csms.v1.model.ShowSecretVersionRequest; import com.huaweicloud.sdk.csms.v1.model.ShowSecretVersionResponse; import com.huaweicloud.sdk.csms.v1.model.UpdateSecretStageRequest; import com.huaweicloud.sdk.csms.v1.model.UpdateSecretStageRequestBody; import java.util.Collections; import java.util.List; public class CsmsDualAccountExample { /** * Basic authentication information: * - ACCESS_KEY: access key of the Huawei ID * - SECRET_ACCESS_KEY: secret access key of the Huawei ID * - PROJECT_ID: Huawei Cloud project ID. For details, see https://support.huaweicloud.com/intl/en-us/productdesc-iam/iam_01_0023.html * - CSMS_ENDPOINT: endpoint address for accessing CSMS. For details, see https://support.huaweicloud.com/intl/en-us/api-dew/dew_02_0052.html. * - There will be security risks if the AK/SK used for authentication is directly written into code. Encrypt the AK/SK in the configuration file or environment variables for storage; * - In this example, the AK/SK stored in the environment variables are used for identity authentication. Configure the environment variables HUAWEICLOUD_SDK_AK and HUAWEICLOUD_SDK_SK in the local environment first. */ private static final String ACCESS_KEY = System.getenv("HUAWEICLOUD_SDK_AK"); private static final String SECRET_ACCESS_KEY = System.getenv("HUAWEICLOUD_SDK_SK"); private static final String PROJECT_ID = "<ProjectID>"; private static final String CSMS_ENDPOINT = "<CsmsEndpoint>"; //Version ID used to query the latest secret version details. private static final String LATEST_VERSION = "latest"; private static final String HW_CURRENT_STAGE = "SYSCURRENT"; private static final String HW_PENDING_STAGE = "HW_PENDING"; public static void main(String[] args) { String secretName = args[0]; String secretString = args[1]; dualAccountRotation(secretName, secretString); } /** * Example: secret rotation for two accounts * * @param secretName * @param secretString */ private static void dualAccountRotation(String secretName, String secretString) { // Create a new secret version with a custom version status. Assume that the secret content is the account password of service A. CreateSecretVersionResponse newSecretVersion = createNewSecretVersionWithStage(secretName, secretString, Collections.singletonList(HW_PENDING_STAGE)); String versionId = newSecretVersion.getVersionMetadata().getId(); // Before rotation, check whether the pending state is modified. ListSecretStageResponse listSecretStageResponse = showSecretStage(secretName, HW_PENDING_STAGE); assert listSecretStageResponse.getStage().getVersionId().equals(versionId); // After the account and password of service A are updated, the version status of the new secret is updated to SYSCURRENT. The old secret is still stored in the service and cannot be accessed by specifying latest. updateSecretStage(secretName, versionId, HW_CURRENT_STAGE); // Query the secret of the latest version by specifying latest to complete the dual-account secret rotation. ShowSecretVersionResponse secretResponse = showVersionDetail(secretName, LATEST_VERSION); assert secretResponse.getVersion().getSecretString().equals(secretString); } /** * Example of creating a secret * If you add a secret version by customizing the version status, the program will not point the SYSCURRENT version status to this version. * * @param secretName * @param newSecretVersionText * @param stageList * @return */ private static CreateSecretVersionResponse createNewSecretVersionWithStage(String secretName, String newSecretVersionText, List<String> stageList) { CsmsClient csmsClient = getCsmsClient(); //Host the new secret in CSMS. CreateSecretVersionRequest createSecretVersionRequest = new CreateSecretVersionRequest() .withSecretName(secretName) .withBody(new CreateSecretVersionRequestBody() .withSecretString(newSecretVersionText) .withVersionStages(stageList)); CreateSecretVersionResponse secretVersion = csmsClient.createSecretVersion(createSecretVersionRequest); System.out.printf("Created new version success, version id: %s", secretVersion.getVersionMetadata().getId()); return secretVersion; } /** * Point the input version state to the specified secret version. * @param secretName * @param versionId * @param newStageName */ private static void updateSecretStage(String secretName, String versionId, String newStageName) { UpdateSecretStageRequest updateSecretStageRequest = new UpdateSecretStageRequest().withSecretName(secretName) .withStageName(newStageName).withBody(new UpdateSecretStageRequestBody().withVersionId(versionId)); CsmsClient csmsClient = getCsmsClient(); csmsClient.updateSecretStage(updateSecretStageRequest); System.out.printf("Version stage update success. version id:%s, new stage name:%s", versionId, newStageName); } /** * Query the secret of a specified version. * @param secretName * @param versionId * @return */ private static ShowSecretVersionResponse showVersionDetail(String secretName, String versionId) { ShowSecretVersionRequest showSecretVersionRequest = new ShowSecretVersionRequest().withSecretName(secretName) .withVersionId(versionId); CsmsClient csmsClient = getCsmsClient(); ShowSecretVersionResponse secretDetail = csmsClient.showSecretVersion(showSecretVersionRequest); System.out.printf("Query latest version success. version id:%s", secretDetail.getVersion().getVersionMetadata().getId()); return secretDetail; } /** * Query the status of a specified version. * @param secretName * @param stageName * @return */ private static ListSecretStageResponse showSecretStage(String secretName, String stageName) { ShowSecretStageRequest showSecretStageRequest = new ShowSecretStageRequest() .withSecretName(secretName).withStageName(stageName); CsmsClient csmsClient = getCsmsClient(); return csmsClient.showSecretStage(showSecretStageRequest); } /** * Obtain the CSMS client. * * @return */ private static CsmsClient getCsmsClient() { BasicCredentials auth = new BasicCredentials() .withAk(ACCESS_KEY) .withSk(SECRET_ACCESS_KEY) .withProjectId(PROJECT_ID); return CsmsClient.newBuilder().withCredential(auth).withEndpoint(CSMS_ENDPOINT).build(); } }
Parent topic: Rotating Secrets
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
