Skip to main content
Last updated: 23 Feb 2024

Rotate Fastly automation token for Emergency Alerts application

🚧 This process should not be necessary unless a token has been compromised or lost.

GOV.UK Emergency Alerts has a Fastly account token for evicting objects from the CDN cache. The token should not normally need to be changed. Under exceptional circumstances it may be necessary to change the token, for example if the token has been compromised.

Changing a Fastly automation tokens requires superuser access. Ask someone from govuk-platform-engineering@ or govuk-senior-tech-members@ to do this for you.

It doesn’t matter who creates the token, as long as they have superuser access. Any superuser can delete or rotate any API token in the GOV.UK Fastly account.

Follow these steps to revoke old tokens and issue new one.

The new token will allow purge requests to the 3 Emergency Alerts services on Fastly and nothing else.

Please do not create multiple tokens, even though this was done in the past. Having 3 separate tokens does not improve security in this case; it only creates toil.

  1. Log into
  2. Go to Account tokens.
  3. Filter by the string “Emergency Alerts” to narrow down the list.
  4. Delete any lost or compromised tokens by pressing the trash bin icon in the rightmost column.
  5. Go to API tokens.
  6. Choose Create Token, near the top-right of the page. The UI may prompt you for your account password.
  7. Under Type, choose Automation token. Do not create a User token.
  8. Name the token GOV.UK Emergency Alerts.
  9. Under Scope, tick the two Purge boxes: purge_all and purge_select. Ensure nothing else is ticked under the Scope heading.
  10. Under Access, choose One or more services and select Production GOV.UK, Staging GOV.UK and Integration GOV.UK, then choose Apply.
  11. Under Expiration, choose Never expire. Do not set an expiry date.
  12. Choose Create Token.
  13. Copy the token and securely transfer it to the person from Emergency Alerts team who is requesting it. For example, calling the person via Google Meet and pasting it into the chat would be acceptable. Avoid sending the token by email or any communication tool that might leave lasting copies.

The person from Emergency Alerts team will then update the configuration in their 3 AWS accounts: preview, staging and production. For each account, they will need to:

  1. Update fastly-api-key in SSM Parameter Store.
  2. Find the eas-app-govuk-alerts service in eas-app-cluster in ECS.
  3. Stop the running task within the eas-app-govuk-alerts dwiserviceapp. ECS will automatically start a new task with the new credentials.
  4. Check that the key works by rebuilding the public alerts site for that environment. It will automatically rebuild after the container app restarts.