Files
2025-10-30 18:58:05 +01:00

169 lines
3.9 KiB
Plaintext

---
title: "Update Provider Secret"
api: "PATCH /api/v1/providers/secrets/{id}"
description: "Update a provider secret's credentials or metadata."
---
Update an existing provider secret. This is typically used to rotate credentials or update the secret name.
## Path Parameters
- `id` (required) - UUID of the secret to update
## Request Body
```json
{
"data": {
"type": "provider-secrets",
"id": "secret-uuid",
"attributes": {
"name": "Updated Secret Name",
"secret": {
"role_arn": "arn:aws:iam::123456789012:role/NewProwlerRole",
"external_id": "new-external-id"
}
}
}
}
```
### Attributes
- `name` (optional, string, nullable) - Update the secret name (3-100 characters)
- `secret` (optional, object) - Update the secret data (format depends on secret_type)
- `secret_type` (read-only) - Cannot be changed after creation
<Note>
The `secret_type` cannot be changed. If you need a different secret type, create a new secret and delete the old one.
</Note>
## Example Requests
### Update AWS Role ARN
```bash
curl -X PATCH "https://api.prowler.com/api/v1/providers/secrets/{id}" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/vnd.api+json" \
-d '{
"data": {
"type": "provider-secrets",
"id": "secret-uuid",
"attributes": {
"name": "Production AWS Role - Rotated",
"secret": {
"role_arn": "arn:aws:iam::123456789012:role/ProwlerRoleV2",
"external_id": "prowler-external-id-67890"
}
}
}
}'
```
### Update Azure Credentials
```bash
curl -X PATCH "https://api.prowler.com/api/v1/providers/secrets/{id}" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/vnd.api+json" \
-d '{
"data": {
"type": "provider-secrets",
"id": "secret-uuid",
"attributes": {
"secret": {
"client_id": "aaaabbbb-cccc-dddd-eeee-ffff00001111",
"client_secret": "new-rotated-client-secret",
"tenant_id": "tenant-uuid"
}
}
}
}'
```
## Response
### Success Response (200 OK)
Returns the updated secret metadata:
```json
{
"data": {
"type": "provider-secrets",
"id": "secret-uuid",
"attributes": {
"name": "Production AWS Role - Rotated",
"secret_type": "role",
"inserted_at": "2024-01-15T10:30:00Z",
"updated_at": "2024-01-20T14:45:00Z"
},
"relationships": {
"provider": {
"data": {
"type": "providers",
"id": "provider-uuid"
}
}
}
}
}
```
### Error Responses
**400 Bad Request** - Invalid secret format
```json
{
"errors": [
{
"status": "400",
"title": "Invalid Secret Format",
"detail": "Role ARN format is invalid"
}
]
}
```
**404 Not Found** - Secret does not exist
```json
{
"errors": [
{
"status": "404",
"title": "Not Found",
"detail": "Secret not found"
}
]
}
```
## Next Steps
After updating credentials:
1. **Test Connection**: Verify the new credentials work
```bash
curl -X POST "https://api.prowler.com/api/v1/providers/{provider_id}/connection" \
-H "Authorization: Bearer YOUR_API_KEY"
```
2. **Run Scan**: Confirm scanning works with new credentials
```bash
curl -X POST "https://api.prowler.com/api/v1/scans" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d '{"data": {"type": "scans", "attributes": {"provider_id": "provider-uuid"}}}'
```
<Warning>
**Credential Rotation Best Practices:**
- Test new credentials before updating in production
- Keep old credentials valid until confirming new ones work
- Update secrets during maintenance windows
- Verify connection status after updates
- Monitor for authentication failures in scans
</Warning>
<Tip>
When rotating AWS roles, create the new role first, update the secret, test it, then delete the old role to ensure zero downtime.
</Tip>