Hello. I am an admin for our Japanese organization and we have a strict security policy that requires us to rotate our API client secrets every ninety days. Currently, we do this manually and it is very time-consuming because we have to update the secrets in all our third-party integrations and internal scripts. Is there a way to use a Data Action or the Platform API to automate the rotation and distribution of these secrets without causing downtime for our integrations?
This is exactly why you should be using Terraform for your configuration management. I am a DevOps engineer and I use the genesyscloud_oauth_client resource to manage our API keys. When the secret is rotated in Terraform, it can be automatically pushed to an AWS Secrets Manager or HashiCorp Vault. Your integrations then pull the latest secret from the vault instead of having it hard-coded. It is the only way to do it at scale without going crazy.
I maintain over fifty flows and I have seen many people try to automate this and fail because they forget to handle the token expiration during the rotation. If you rotate the secret while a script is in the middle of a process, it will crash. You must ensure that your integrations can handle a 401 Unauthorized error by fetching the new secret from the vault and retrying the request. It is a lot of extra logic to write but it is necessary for a zero-downtime architecture.
I manage our outbound campaigns and we had a massive outage last month because a secret rotated and our dialer script was not updated. If you are going to automate this, please make sure you have a robust alerting system in place. If the rotation fails or if an integration cannot pull the new secret, someone needs to be notified immediately. Do not just trust the automation to work perfectly every time!