Rotating all of the Organizations Deploy keys

Users sometime would like to rotate their deploy keys such as when there are new security changes in the company or simply to take good security practice.

For, CircleCI Build Deploy Key is important when retrieving the repository at the checkout phase and keeping this secure is important.

The followings are the script that you can run on your local computer to retrive the repository in the organization and rotate all of the keys.

  1. To rotate the keys you need to retrive all the repository under organization.
  • CircleCI API Reference
  • The following uses API v1.1 to get the followed projects. Using this as there are no v2 API alternatives to this endpoint
  org=nanophate # Your organizaion
  org_repos=$(curl -H "Circle-Token: ${CIRCLE_TOKEN}" | jq -r '.[] | select(.username == "${org}") | .reponame')
  1. The following will rotate each retrieved repo from the followed projects and delete existing deploy key and add a new ones.
echo ${org_repos} | while read repo; do 
  # GET deploy-key from project
  fingerprints=$(curl -fsS -H "Circle-Token: ${CIRCLE_TOKEN}" "${org}/${repo}/checkout-key" | jq -r 'select(.items[].type == "deploy-key") | .items[].fingerprint')
  # Delete deploy-key from project
  echo ${fingerprints} | while read fingerprint; do curl -fsS -X DELETE -H "Circle-Token: ${CIRCLE_TOKEN}" "${org}/${repo}/checkout-key/${fingerprint}"; done
  # Create new deploy-key to project
  curl -fsS -X POST -H "Circle-Token: ${CIRCLE_TOKEN}" -H "content-type: application/json"  -d '{"type":"deploy-key"}' "${org}/${repo}/checkout-key"

If user would like to enable User Key you should change the {"type":"deploy-key"} to {"type":"user-key"} on the step of # Create new deploy-key to project part. (API: Create a new checkout key) However please remember that this will enabled read/write access like the user and preform git operations. I would recommend to manually change it to user key from the project settings as needs bases and not as a default settings of the key.

What is the current life expectancy of the 1.1 API? The message " v1 APIs will be deprecated within the next year. We recommend switching to the v2 APIs." has been at the top of the API 1.1 docs for at least 6 months.