IBM Cloud Docs
How do I rotate the cluster API key in the event of a leak?

How do I rotate the cluster API key in the event of a leak?

Your cluster security has been compromised due to an exposed API key.

There can be many reasons why or how an API key leak occurs. After you rotate the key, plan to complete a thorough root cause analysis.

To resolve the issue, rotate your cluster credentials.

  1. Use your cluster ID to find the IAM service ID for your cluster. Make a note of the service ID that begins with cluster-CLUSTERID.

    ibmcloud iam service-ids | grep CLUSTER-ID
    

    Example output

    ServiceId-bc8cebd4-491e-4582-9a75-e93938004f79     cluster-ck0a5faw0bm3lnln95lg   ... ...
    
  2. Find the API keys associated with the service ID that you found in the previous step. In the following example, the API key used for Container Registry is rotated.

    ibmcloud iam service-api-keys ServiceId-xxx-xxx
    Getting all API keys of xxx...
    OK
    ID                                            Name                           Description                                                          Created At              Last Updated            Locked
    ApiKey-79ed0b99-1ac9-4676-96be-8cbaa485fa74   cluster-ck9blho20n01rtorhqhg   API key created for cluster access to IBM Cloud Container Registry   2023-09-26T11:04+0000   2023-09-26T11:04+0000   false
    
  3. To generate a new key, delete the service API key.

    ibmcloud iam service-api-key-delete SERVICE_API_KEY_ID_OR_NAME SERVICE_ID_OR_NAME
    
  4. Run the ibmcloud ks cluster pull-secret apply command. This command generates a new API key and updates the all-icr-io secret in the default namespace.

    ibmcloud ks cluster pull-secret apply --cluster CLUSTER
    
  5. Note that the new API key is generated immediately. However, the updated secret might take several minutes to populate.