Auto rotate client secrets for service-to-service apps #33
Description
Thank you for making Pivotal Cloud Foundry such a great product. I was uncertain were I could post this question. So I ask it here.
We have a requirement to automatically rotate app secrets every month for all our application.
If possible we still want to use the SSO Dashboard and tile to ensure easy setup and management of the applications service-to-service credentials.
Is there an easy way of ensuring that all the applications registered through the SSO-Tile get their secrets rotated without any manual interventions?
We do not want to push buttons or use the SSO-Dashboard as it would very quickly become a maintenance nightmare to ensure all 300 apps get their client secrets rotated every month.
I already read: https://docs.pivotal.io/p-identity/1-10/configure-apps/#-regenerate-an-app-secret
and I am aware that I can delete an recreate the service binding, but that means that I also would lose any scopes given to the service-to-service applications and that I would have to login to the SSO Dashboard to re-select the scopes needed for the service-to-service app after recreating the service binding.
I use SSO_RESOURCES and SSO_AUTO_APPROVED_SCOPES in my app manifest to set which scopes the service-to-service app should have, but once I unbind and recreate the service bindings the scopes that I once approved for the app, is gone. This makes secret rotation quite cumbersome. The scopes and authorities I am using is only used within the space where I have created my SSO service instance and I am using SSO v. 1.10
Maybe it is possible for the app secret and VCAP_SERVICES vars to get updated with rotated app secrets when the apps are restaged. Perhaps I could just even create a deployment script that read out the p-identity client_id and updated the client_id with the missing scopes during deploy, but I am unsure how I best should do any of that without messing up the management possibilities that the SSO-Dashboard provides.