We use encrypted secrets to store sensitive information and deploy automatically to cloud.gov.
Locally, you should store all secrets in a .env file within the /backend directory. These will get added in to the Docker containers when they're built and launched.
Deployed secrets are stored in repository secrets located in the repository settings on Github. Note that only an admin can add or remove repository secrets.
To deploy to cloud.gov automatically, we have a space-deployer service account that holds a service key with unique credentials.
The service account credentials are stored in the repository secrets under:
CF_USERNAMECF_PASSWORD
We use SAM.gov to look up information about the organizations that use the FAC.
To use the SAM.gov API, you will need a key. A user API key can be created for local testing, but a system account system API key will be needed for the site when it's in production.
To generate a SAM.gov user key, follow these steps:
- Head to SAM.gov, then click "Sign In" in the top right corner.
- You will be passed to Login.gov to authenticate.
- When you return, you may need to answer a few questions, but then you should have a basic account created.
- Head to your profile page, and then under Public API Key, click the eyeball to reveal it or the rectangles icon to copy it.
- Add
SAM_API_KEY = '<key>'to your.envfile (where<key>is your actual key from the page). - Rebuild/restart any open Docker containers you have going.
To generate a SAM.gov System Account API key, follow these steps:
- Users registered with a non-government email address and associated with an entity OR users registered with a government email address may request a system account for public data access.
- If a user satisfies the above registration criteria they will be able to access the System Accounts widget from their Workspace page after logging in.
- The user can then select “Go to System Accounts” from the widget and fill out the required sections.
- The requested system account will then need to be approved. After approval the user will be notified via email and they can also see the updated status in the System Account widget.
- The user can select ‘Go to System Accounts’ again in the widget from their workspace and enter a new system account password.
- After setting up the password the user will see a new section for retrieving a system account API Key.
- The user must enter their password again to retrieve the key.
NOTE: To obtain access to the FOUO/Sensitive Entity API data with a system account the user must be registered with a government email address.
The system account API key will be stored as SAM_API_KEY in the repository secrets in Github.
The Cloud.gov service account and SAM.gov API Key credentials should be rotated every 90 days.
To rotate credentials associated with a cloud.gov service key, follow the steps here to delete and recreate the service key.
cf delete-service-key my-service-account my-service-key
cf create-service-key my-service-account my-service-key
cf service-key my-service-account my-service-keyTo rotate the API key associated with a SAM.gov system account, follow the steps here to delete and recreate the API key. You will need to update it in GitHub after this. Once updated, a new deploy will automatically replace it on the instance.
Act can be used to test Github Actions locally and can handle secrets in .secrets.
To test pushing to cloud.gov locally with the deploy.yml workflow:
$ touch .secrets- Create a space-deployer service account and copy the username and password into
.secretsunderCF_USERNAME=andCF_PASSWORD=. - Create a system account API key and copy the API key into
.secretsunderSAM_API_KEY=. - Run act:
$ act