Skip to main content
Last updated: 12 May 2025

Rotate Fastly automation token for Prometheus exporter

GOV.UK platform engineering has a Fastly account token for exporting Fastly metrics to Prometheus. The token is currently set to expire after a year.

Changing a Fastly automation tokens requires superuser access. Ask someone from govuk-platform-engineering@ or govuk-senior-tech-members@ to do this for you.

It doesn’t matter who creates the token, as long as they have superuser access. Any superuser can delete or rotate any API token in the GOV.UK Fastly account.

Follow these steps to revoke old tokens and issue new one.

3 new tokens will be created to allow access to metrics for Integration, Staging and Production.

For the Integration environment follow these steps:

  1. Log into https://manage.fastly.com/.
  2. Go to Account tokens.
  3. Filter by the string “prometheus-fastly-exporter token for Integration” to narrow down the list.
  4. Delete the expiring tokens by pressing the trash bin icon in the rightmost column.
  5. Go to API tokens.
  6. Choose Create Token, near the top-right of the page. The UI may prompt you for your account password.
  7. Under Type, choose Automation token. Do not create a User token.
  8. Name the token GOV.UK prometheus-fastly-exporter token for Integration.
  9. Leave the default Scope as global:read. Ensure nothing else is ticked under the Scope heading.
  10. Under Access, choose One or more services and select all Services under the filter Integration.
  11. Under Expiration, select 1 year after the current date.
  12. Choose Create Token.
  13. Copy the token and update the secret govuk/fastly/api in AWS secrets manager for the Integration environment.
  14. In Argo CD select the monitoring-config application and click Refresh on the external secret for fastly-exporter to pick up the updated token.
  15. Then select the fastly-exporter application and delete the running fastly-exporter-prometheus pod to trigger a deployment of a new fastly-exporter-prometheus to use the new token.
  16. Check that the token is being used by clicking on Logs for the fastly-exporter-prometheus pod. If there are errors reported in the Logs it might be that the token hasn’t been picked up properly so the external secret will need to be refreshed again and the fastly-exporter-prometheus pod re-deployed.
  17. Finally, wait for a couple of minutes and then check that metrics from Fastly are being exported to Prometheus by browsing to prometheus on Integration.
  18. Repeat these steps for Staging and Production.

More in the Monitoring and alerting section

Learn

How to...