mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-19 10:31:51 +00:00
169 lines
3.9 KiB
Plaintext
169 lines
3.9 KiB
Plaintext
---
|
|
title: "Update Provider Secret"
|
|
api: "PATCH /api/v1/providers/secrets/{id}"
|
|
description: "Update a provider secret's credentials or metadata."
|
|
---
|
|
|
|
Update an existing provider secret. This is typically used to rotate credentials or update the secret name.
|
|
|
|
## Path Parameters
|
|
|
|
- `id` (required) - UUID of the secret to update
|
|
|
|
## Request Body
|
|
|
|
```json
|
|
{
|
|
"data": {
|
|
"type": "provider-secrets",
|
|
"id": "secret-uuid",
|
|
"attributes": {
|
|
"name": "Updated Secret Name",
|
|
"secret": {
|
|
"role_arn": "arn:aws:iam::123456789012:role/NewProwlerRole",
|
|
"external_id": "new-external-id"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
### Attributes
|
|
|
|
- `name` (optional, string, nullable) - Update the secret name (3-100 characters)
|
|
- `secret` (optional, object) - Update the secret data (format depends on secret_type)
|
|
- `secret_type` (read-only) - Cannot be changed after creation
|
|
|
|
<Note>
|
|
The `secret_type` cannot be changed. If you need a different secret type, create a new secret and delete the old one.
|
|
</Note>
|
|
|
|
## Example Requests
|
|
|
|
### Update AWS Role ARN
|
|
```bash
|
|
curl -X PATCH "https://api.prowler.com/api/v1/providers/secrets/{id}" \
|
|
-H "Authorization: Bearer YOUR_API_KEY" \
|
|
-H "Content-Type: application/vnd.api+json" \
|
|
-d '{
|
|
"data": {
|
|
"type": "provider-secrets",
|
|
"id": "secret-uuid",
|
|
"attributes": {
|
|
"name": "Production AWS Role - Rotated",
|
|
"secret": {
|
|
"role_arn": "arn:aws:iam::123456789012:role/ProwlerRoleV2",
|
|
"external_id": "prowler-external-id-67890"
|
|
}
|
|
}
|
|
}
|
|
}'
|
|
```
|
|
|
|
### Update Azure Credentials
|
|
```bash
|
|
curl -X PATCH "https://api.prowler.com/api/v1/providers/secrets/{id}" \
|
|
-H "Authorization: Bearer YOUR_API_KEY" \
|
|
-H "Content-Type: application/vnd.api+json" \
|
|
-d '{
|
|
"data": {
|
|
"type": "provider-secrets",
|
|
"id": "secret-uuid",
|
|
"attributes": {
|
|
"secret": {
|
|
"client_id": "aaaabbbb-cccc-dddd-eeee-ffff00001111",
|
|
"client_secret": "new-rotated-client-secret",
|
|
"tenant_id": "tenant-uuid"
|
|
}
|
|
}
|
|
}
|
|
}'
|
|
```
|
|
|
|
## Response
|
|
|
|
### Success Response (200 OK)
|
|
|
|
Returns the updated secret metadata:
|
|
|
|
```json
|
|
{
|
|
"data": {
|
|
"type": "provider-secrets",
|
|
"id": "secret-uuid",
|
|
"attributes": {
|
|
"name": "Production AWS Role - Rotated",
|
|
"secret_type": "role",
|
|
"inserted_at": "2024-01-15T10:30:00Z",
|
|
"updated_at": "2024-01-20T14:45:00Z"
|
|
},
|
|
"relationships": {
|
|
"provider": {
|
|
"data": {
|
|
"type": "providers",
|
|
"id": "provider-uuid"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
### Error Responses
|
|
|
|
**400 Bad Request** - Invalid secret format
|
|
```json
|
|
{
|
|
"errors": [
|
|
{
|
|
"status": "400",
|
|
"title": "Invalid Secret Format",
|
|
"detail": "Role ARN format is invalid"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
**404 Not Found** - Secret does not exist
|
|
```json
|
|
{
|
|
"errors": [
|
|
{
|
|
"status": "404",
|
|
"title": "Not Found",
|
|
"detail": "Secret not found"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
## Next Steps
|
|
|
|
After updating credentials:
|
|
|
|
1. **Test Connection**: Verify the new credentials work
|
|
```bash
|
|
curl -X POST "https://api.prowler.com/api/v1/providers/{provider_id}/connection" \
|
|
-H "Authorization: Bearer YOUR_API_KEY"
|
|
```
|
|
|
|
2. **Run Scan**: Confirm scanning works with new credentials
|
|
```bash
|
|
curl -X POST "https://api.prowler.com/api/v1/scans" \
|
|
-H "Authorization: Bearer YOUR_API_KEY" \
|
|
-d '{"data": {"type": "scans", "attributes": {"provider_id": "provider-uuid"}}}'
|
|
```
|
|
|
|
<Warning>
|
|
**Credential Rotation Best Practices:**
|
|
- Test new credentials before updating in production
|
|
- Keep old credentials valid until confirming new ones work
|
|
- Update secrets during maintenance windows
|
|
- Verify connection status after updates
|
|
- Monitor for authentication failures in scans
|
|
</Warning>
|
|
|
|
<Tip>
|
|
When rotating AWS roles, create the new role first, update the secret, test it, then delete the old role to ensure zero downtime.
|
|
</Tip>
|