Files
siriusscan--sirius/documentation/dev/operations/README.api-key-operations.md
T
wehub-resource-sync 161ef94b4f
Check engine pin consistency / Dockerfile / CI pin consistency (push) Successful in 8s
Sirius CI/CD Pipeline / Detect Changes (push) Successful in 23s
Validate Docker Configuration / Validate Docker Compose Configuration (push) Successful in 47s
Sirius CI/CD Pipeline / Build API (${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Build UI (${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Engine Manifest (push) Has been cancelled
Sirius CI/CD Pipeline / Merge API Manifest (push) Has been cancelled
Sirius CI/CD Pipeline / Merge UI Manifest (push) Has been cancelled
Sirius CI/CD Pipeline / Build Engine (${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Build Infra (${{ matrix.service }}, ${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-postgres) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-rabbitmq) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-valkey) (push) Has been cancelled
Sirius CI/CD Pipeline / Integration Test (push) Has been cancelled
Sirius CI/CD Pipeline / Public Stack Contract (push) Has been cancelled
Sirius CI/CD Pipeline / Dispatch Demo Deployment (sirius-demo branch) (push) Has been cancelled
Sirius CI/CD Pipeline / Dispatch Demo Canary (main branch) (push) Has been cancelled
Sirius CI/CD Pipeline / Guard Registry Namespace (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:32:25 +08:00

119 lines
3.5 KiB
Markdown

---
title: "API Key Operations Runbook"
description: "Production runbook for stateless service API key rotation, recovery, and incident response."
template: "TEMPLATE.guide"
llm_context: "high"
categories: ["operations", "security", "deployment"]
tags: ["apikey", "rotation", "incident-response", "valkey", "runbook"]
related_docs:
- "README.development.md"
- "README.docker-container-deployment.md"
- "README.auth-surface-matrix.md"
---
# API Key Operations Runbook
This runbook defines production-safe operations for Sirius service API keys.
## Scope
Applies to service-to-service credential `SIRIUS_API_KEY` used by:
- `sirius-api`
- `sirius-ui` (server-side tRPC -> API calls)
- `sirius-engine` and agent/scanner API clients
## Baseline Invariants
- `SIRIUS_API_KEY` must be non-empty in production.
- Go API must reject requests without a valid `X-API-Key`.
- Only `/health` is public.
- Root service key validation is stateless from runtime environment configuration.
- Valkey stores only dynamic/user-generated API key records.
## Rotation Procedure (No Downtime)
### 1) Create new key
1. Authenticate as admin in UI.
2. Create a new API key in Settings.
3. Record:
- key value (shown once)
- key id/hash
- label
### 2) Deploy new key to services
1. Update deployment secret store or environment value for `SIRIUS_API_KEY` with the new key.
2. Roll out services in order:
1. `sirius-api`
2. `sirius-ui`
3. `sirius-engine`
3. Validate:
- API 401 rate does not spike.
- UI can read/write through tRPC.
- scanner/agent host submissions continue.
### 3) Revoke old key
1. After rollout and validation period, revoke old key in UI.
2. Confirm old key returns 401.
3. Close rotation ticket.
## Incident: Valkey Data Loss
Symptoms:
- sudden 401s for user-generated keys
- API key list empty
- dynamic key operations fail while root key requests still succeed
Recovery:
1. Restore Valkey from backup if available.
2. If no backup:
- ensure production `SIRIUS_API_KEY` is correctly set for all services.
- restart `sirius-api` first; root key path remains stateless.
3. Restart `sirius-ui` and `sirius-engine`.
4. Validate end-to-end operations and security harness results.
## Incident: Root Key Mismatch (Configuration Drift)
Symptoms:
- services return 401 with old key after key rotation
- env values differ between `sirius-ui`, `sirius-api`, and `sirius-engine`
Recovery:
1. Confirm deployed `SIRIUS_API_KEY` value in runtime environment.
2. Restart `sirius-api`, then `sirius-ui` and `sirius-engine`.
3. Re-check key validation success for deployed root key.
4. If still failing, capture API logs and run security harness `auth-surface` and `api` suites.
## Incident: Unauthorized Agent/Scanner API Writes
Symptoms:
- scanner/agent host submissions return 401
Recovery:
1. Verify `SIRIUS_API_KEY` is present in engine/scanner/agent runtime.
2. Verify clients send `X-API-Key`.
3. Validate key exists in API key list and is not revoked.
4. Roll service restart after secret correction.
## Validation Commands
Run security checks from repository root:
```bash
cd testing/security
go run . --suite api
go run . --suite trpc
go run . --suite auth-surface
```
## Operational Checklist
- [ ] `SIRIUS_API_KEY` secret exists and is non-empty in production.
- [ ] API middleware accepts configured root key on non-health routes.
- [ ] UI + engine are using the same active service key.
- [ ] Old keys are revoked only after rollout validation.
- [ ] Recovery procedure for config drift or Valkey loss is documented in incident ticket.