[VMC] How to Rotate/Regenerate secrets for OAuth Apps
search cancel

[VMC] How to Rotate/Regenerate secrets for OAuth Apps

book

Article ID: 437409

calendar_today

Updated On:

Products

VMware Cloud on AWS

Issue/Introduction

You may need to rotate secrets for the OAuth Apps you are using to access your VMC on AWS SDDCs either for internal compliance or by request of the Broadcom team.

Resolution

Option 1 - Regenerate secrets with overlap via API [Recommended]

  • This option is recommended as it will not immediately invalidate the existing secret and will allow for a 48 hour overlap.
  • This can only be executed via API.

API Documentation : https://console.cloud.vmware.com/api-docs/identity-access-management-api#/Organization%20Managed%20OAuth%20Apps%20(Clients)/setNewClientSecretViaOwnerClientRotationByOrganizationIdAndApplicationIdUsingPOST

Example:

curl --request POST \

  --url https://console.cloud.vmware.com/csp/gateway/am/api/orgs/{orgId}/oauth-apps/{oauthAppId}/secret \

  --header 'authorization: Bearer <org_owner>/<org_admin> access token' \

  --header 'content-type: application/json' \

  --data '{

  "newClientSecret": "####################"

}'

Option 2 - Regenerate secrets with NO overlap via Console

WARNING! - This will immediately invalidate existing secrets. Also, you cannot view the new secret once you close the modal that shows the secret.

  1. Login to console.cloud.vmware.com as an Org Owner in the Org in which the app is created.
  2. Navigate to IAM on the lefthand side.
  3. Select the OAuth Apps tile from the section on the right.
  4. Click on Owned Apps tab.
  5. Select the app that you wish to rotate.
  6. Click on “Edit Details” (pencil icon):



  7. In the next page, click on “Regenerate Secret”.
  8. Accept the warning.

Please ensure that you copy the secret right away - Once the popup is closed, there’s no way to retrieve a secret.

Powered by Wolken Software