Users sometime would like to rotate their deploy keys such as when there are new security changes in the company or simply to take good security practice.
For, CircleCI Build Deploy Key is important when retrieving the repository at the checkout phase and keeping this secure is important.
The followings are the script that you can run on your local computer to retrive the repository in the organization and rotate all of the keys.
- To rotate the keys you need to retrive all the repository under organization.
- CircleCI API Reference
- The following uses API v1.1 to get the followed projects. Using this as there are no v2 API alternatives to this endpoint
org=nanophate # Your organizaion
org_repos=$(curl https://circleci.com/api/v1.1/projects -H "Circle-Token: ${CIRCLE_TOKEN}" | jq -r '.[] | select(.username == "${org}") | .reponame')
- The following will rotate each retrieved repo from the followed projects and delete existing deploy key and add a new ones.
echo ${org_repos} | while read repo; do
# GET deploy-key from project
fingerprints=$(curl -fsS -H "Circle-Token: ${CIRCLE_TOKEN}" "https://circleci.com/api/v2/project/gh/${org}/${repo}/checkout-key" | jq -r 'select(.items[].type == "deploy-key") | .items[].fingerprint')
# Delete deploy-key from project
echo ${fingerprints} | while read fingerprint; do curl -fsS -X DELETE -H "Circle-Token: ${CIRCLE_TOKEN}" "https://circleci.com/api/v2/project/gh/${org}/${repo}/checkout-key/${fingerprint}"; done
# Create new deploy-key to project
curl -fsS -X POST -H "Circle-Token: ${CIRCLE_TOKEN}" -H "content-type: application/json" -d '{"type":"deploy-key"}' "https://circleci.com/api/v2/project/gh/${org}/${repo}/checkout-key"
done
If user would like to enable User Key you should change the {"type":"deploy-key"}
to {"type":"user-key"}
on the step of # Create new deploy-key to project
part. (API: Create a new checkout key) However please remember that this will enabled read/write access like the user and preform git operations. I would recommend to manually change it to user key from the project settings as needs bases and not as a default settings of the key.