Signon API user token expires soon
One or more tokens for API Users are about to expire. You should rotate expiring tokens to ensure the associated application keeps working.
Rotate a Signon API token
🪨 This procedure is toil and should be eliminated or automated away. For now, it’s unfortunately still a manual process.
Note that the overnight token sync cronjob will over-write any changes made in the Staging environment to match those in the Production environment so this procedure need only be followed for the Production and Integration environments. Any alerts relating to the Staging environment can be safely ignored.
The Integration environment should also be updated overnight but this is not happening currently. It is a known issue that when fixed will mean this procedure will need only to be followed for the Production environment.
Special cases
If the token is for Trade Tariff Admin or Trade Tariff Backend, see Trade Tariff Admin on the Wiki
If the token is for Signon API Client (permission and suspension updater) then the key will rotate automatically and the alert can be ignored.
1. Issue a new token
Go to the APIs page in Signon.
From the API users table, choose the API User whose Email matches the
api_userfield in the alert.Check the Last synced at time to see if the API User is still using the application. If you are sure the token is disused, you can choose Revoke to delete it and then you’re done.
Choose Manage tokens.
Choose Add application token.
From the Application dropdown, select the application that matches the
applicationfield in the alert.Choose Create access token.
Take one of the following actions:
* For a token used in an application outside of GOV.UK (e.g. by HMRC): securely send the token to the consumer.
* For a token used by another GOV.UK application: follow the steps in the section below.
2. Update the token in the secrets used by the consuming application
This only applies for tokens used by internal GOV.UK applications.
Update the token in the Kubernetes secret:
- Go to the Argo interface for the environment: integration, staging or production.
- Locate the
signon-sync-token-secrets-to-k8scron job. - Click the three dots on this cron job and click Create job.
- Wait for the job to complete. A sucessful run will be labelled with a green checkmark and a label such as
Healthy 1 pods. The logs can also be choosing the Logs option for the most recent run.
Check that the client application works with the new token:
Open a Rails console on the client app. For example, if the
api_userisshort-url-manager@alphagov.co.uk, open a console onshort-url-manager.k exec -it deploy/short-url-manager -- rails cFetch the environment variable that contains the token. The variable name refers to the server (destination) application, which is the same as the
applicationfield in the alert. For example, for short-url-manager (client) talking to publishing-api (server):ENV["PUBLISHING_API_BEARER_TOKEN"]Check that the result matches the new token in Signon and not the old one.
You can also check that the token works by making an API call yourself from the client app’s Rails console. For example, to check that Short URL Manager can talk to Publishing API, you could:
- Choose a method from the publishing-api client library in gds-api-adaptors.
Call the method from short-url-manager’s Rails console:
client = GdsApi::PublishingApi.new( Plek.new.find("publishing-api"), bearer_token: ENV["PUBLISHING_API_BEARER_TOKEN"] ) client.lookup_content_id(base_path: "/")The call should return some result and not raise an exception.
Once you have confirmed that the application is working with the new token, go back to Signon and revoke the old token. On the Manage tokens page, choose the Revoke link for the old token.