Howto: Recreate API Keys on new server


(Lindsay Hill) #1

When you create a new API Key, the API key is only shown at creation time. After that, only the hash is stored in the Database.

If you need to migrate to a new server, the normal process is to export the keys from the old server, and import them to the new one, using these commands:

# On old server
$ st2 apikey list -dy --show-secrets > apikeys.yaml
# Transfer the file to the new StackStorm instance, and load the keys from file:
$ st2 apikey load apikeys.yaml

But what if you don’t have access to the old server?

If you still have access to the API keys, you can create the hashes. Just run something like this:

vagrant@stackstorm:~$ curl -H "St2-Api-Key: MYAPIKEY" https://localhost/api/v1/actions -k
    "faultstring": "Unauthorized - ApiKey with key_hash=6f672a23e202830ad876f08d6325f2e9615efeac03c2e9e8ae4fe387d0bd30ef5883957d42a87c9f0c53b7cedf026853ac30aa6d9118b411a6ec414310f9d64a not found."

Replace MYAPIKEY with the real value.

Note the error message - this is the hash you need. Now you can create a new apikeys.yaml file that looks like this:

-   created_at: '2018-11-27:10:35.693587Z'
    enabled: true
    id: 599e236162edf80cd073d871
    key_hash: 6f672a23e202830ad876f08d6325f2e9615efeac03c2e9e8ae4fe387d0bd30ef5883957d42a87c9f0c53b7cedf026853ac30aa6d9118b411a6ec414310f9d64a
        used_by: lhill
    uid: api_key:6f672a23e202830ad876f08d6325f2e9615efeac03c2e9e8ae4fe387d0bd30ef5883957d42a87c9f0c53b7cedf026853ac30aa6d9118b411a6ec414310f9d64a
    user: st2admin

Load it with st2 apikey load apikeys.yaml. Done.

If you don’t have access to the API key, or the hashes from the original server, you’re out of luck: Create a new API key.