Skip to main content

Rotate OPA Tokens

This guide describes how to automate rotation of the token used by OPAs to authenticate with Styra DAS.

Prerequisites

The following prerequisites are required to rotate the token used by OPAs.

  • Token with the WorkspaceAdministrator role
  • System with deployed OPAs
  • Access to update secrets for the system's OPAs

Throughout this page, it's assumed the following environment variables are configured in your shell:

export system_id=xyz
export das_token=secret-value

Above, xyz is the id of the system associated with the OPAs, and secret-value is replaced with the value of a token with WorkspaceAdministrator privileges.

Workflow

Perform the following steps to rotate the OPAs' token.

  1. Create a new token. This token will be used to replace the existing OPA token after we have assigned it the correct RBAC role. This token must be in the target system's namespace; for example, systems/${system_id}/opa-version, where ${system_id} is the id of the target system.

    The following curl commands shows an example of such token creation:

    curl -H "Content-Type: application/json"  -H "Authorization: Bearer ${das_token}" -X PUT "https://TENANT.styra.com/v1/tokens/systems/${system_id}/opa-version" -d '{"description": "Token for OPAs", "ttl": "720h", "allow_path_patterns": [], "regenerate": false}'

    The response contains the secret token value. For example:

    {"request_id":"89eaaa0f-f422-4646-aeaf-b473668f9082","result":"VQEaMGtesPRE0cU7bgVJB_7wpxzqGuB1TUfadZl2J4JhtZK3s5g2xKoE28Q"}

    Be sure to save the value of result as you cannot obtain it again.

  2. Assign the token the SystemOPA role. By default, tokens do not have any roles assigned to them, so you should use the authz APIs to bind a role to the token.

    This is performed by the following curl command:

    curl -H "Content-Type: application/json"  -H "Authorization: Bearer ${das_token}" -X POST https://TENANT.styra.com/v2/authz/rolebindings -d "{\"resource_filter\": {\"kind\": \"system\", \"id\": \"${system_id}\"}, \"role_id\": \"SystemOPA\", \"subjects\": [{\"kind\": \"token\", \"id\": \"systems/${system_id}/opa-version\"}]}"

  3. Configure OPA to use the new token. This step depends on the way you have configured OPA to read secrets. If using Kubernetes secrets, then the OPA deployment will have secret configured; for example:

    - name: das-token
      secret:
        secretName: das-slp-token
        defaultMode: 0400

    In this case, you need to update the Kubernetes secret with id das-slp-token. This can be accomplished with kubectl or automation. Using kubectl, you could update the secret using a config file like:

    kind: Secret
    apiVersion: v1
    metadata:
      name: das-slp-token
      namespace: styra-system
    data:
      das_slp_token: "c2VjcmV0Cg=="

    Where the value for das_slp_token is the base64 encoded version of the token secret obtained in Step 1.

  4. Delete the original token. This can be done through the UI or using the tokens API.