coilyco-flight-deck/backend
1
0
Fork 0
Code Issues 11 Pull requests Projects Releases Packages Wiki Activity Actions

Generate the datastore-token on deployment instead of by hand #1

New issue
Open
opened 2026-05-23 20:53:50 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-23 20:53:50 +00:00
Owner
Copy link

Originally filed by @coilysiren on 2026-05-22T20:32:57Z - https://github.com/coilysiren/backend/issues/88

Problem - the datastore-token is minted by hand. It lives in SSM /coilysiren/backend/datastore-token and is hand-mirrored into the DATASTORE_TOKEN GitHub Actions secret, so two manual copies have to be rotated together. The token is functionally a deploy secret with no human meaning. There is no reason a human should ever generate or touch it.

Proposal - generate a fresh random token as a step in the deploy pipeline. Write it to SSM /coilysiren/backend/datastore-token as a SecureString. The ExternalSecret in deploy/main.yml already syncs SSM into the cluster, so the running service picks up the new value with no further change.

The GHA-secret mirror only exists so the release pipeline can POST CI status with the token. Once the deploy job mints the token itself, that run has the value in hand as a step output, so the DATASTORE_TOKEN GitHub Actions secret can be retired entirely.

Effect

  • No hand-minted token, no hand-mirroring, no "rotate both places together" footgun.
  • Every deploy rotates the token for free. Kai's read: "I could roll it every 5 seconds and it would be fine."
  • One source of truth (SSM), one writer (the deploy job).

Touch points

  • The deploy workflow for coilysiren/backend - add a generate-and-write-to-SSM step.
  • deploy/main.yml ExternalSecret - likely unchanged, it already reads SSM.
  • Retire the DATASTORE_TOKEN GitHub Actions secret.
  • Update SSM.md in agentic-os-kai - the "mirrored as a GHA secret, rotate both together" note goes away.

Watch out - rollout ordering. The deploy should write SSM early enough that the ExternalSecret syncs before the new pods roll. During the overlap window, pods still running the old token will fail auth. A rolling restart gated on the secret sync, or accepting a short auth blip, needs a deliberate call when this is built.

Origin context: SSM entry /coilysiren/backend/*, coilysiren/backend#65 and #79.

_Originally filed by @coilysiren on 2026-05-22T20:32:57Z - [https://github.com/coilysiren/backend/issues/88](https://github.com/coilysiren/backend/issues/88)_ **Problem** - the `datastore-token` is minted by hand. It lives in SSM `/coilysiren/backend/datastore-token` and is hand-mirrored into the `DATASTORE_TOKEN` GitHub Actions secret, so two manual copies have to be rotated together. The token is functionally a deploy secret with no human meaning. There is no reason a human should ever generate or touch it. **Proposal** - generate a fresh random token as a step in the deploy pipeline. Write it to SSM `/coilysiren/backend/datastore-token` as a SecureString. The ExternalSecret in `deploy/main.yml` already syncs SSM into the cluster, so the running service picks up the new value with no further change. The GHA-secret mirror only exists so the release pipeline can POST CI status with the token. Once the deploy job mints the token itself, that run has the value in hand as a step output, so the `DATASTORE_TOKEN` GitHub Actions secret can be retired entirely. **Effect** - No hand-minted token, no hand-mirroring, no "rotate both places together" footgun. - Every deploy rotates the token for free. Kai's read: "I could roll it every 5 seconds and it would be fine." - One source of truth (SSM), one writer (the deploy job). **Touch points** - The deploy workflow for `coilysiren/backend` - add a generate-and-write-to-SSM step. - `deploy/main.yml` ExternalSecret - likely unchanged, it already reads SSM. - Retire the `DATASTORE_TOKEN` GitHub Actions secret. - Update `SSM.md` in `agentic-os-kai` - the "mirrored as a GHA secret, rotate both together" note goes away. **Watch out** - rollout ordering. The deploy should write SSM early enough that the ExternalSecret syncs before the new pods roll. During the overlap window, pods still running the old token will fail auth. A rolling restart gated on the secret sync, or accepting a short auth blip, needs a deliberate call when this is built. Origin context: SSM entry `/coilysiren/backend/*`, coilysiren/backend#65 and #79.
coilysiren added
P2
 and removed
P1
 labels 2026-05-31 07:00:13 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
generic-modes
right-size-db-pvc
worktree-agent-a2bf119718b2a7b50
fix-sideload-image-ref
adopt-docker-save-deploy
fix/deploy-config-path
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/backend#1
No description provided.