Vadym/obsidian
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
obsidian/wiki/tech-patterns/runtime-credential-rotation-admin-panel.md
Vadym Samoilenko 9febc32f2c vault backup: 2026-04-29 16:53:34
2026-04-29 16:53:34 +01:00

57 lines
2.4 KiB
Markdown
Raw Blame History

---
tags: [tech-patterns, auto-generated]
source: cinema-studio-pro-kling
created: 2026-04-29
---
# Runtime Credential Rotation with Admin Panel
## When to use
When you need to allow administrators to update time-sensitive API credentials (like monthly token rotation) without redeploying the application, and credentials must persist across server restarts.
## Prerequisites
- Application with admin user concept (authenticated via SSO like Azure AD)
- Backend environment file system (`.env` files)
- Admin users identified by email address in authentication system
- API that requires periodic credential rotation (e.g., monthly token refresh)
## Steps
1. Define admin users by adding their email addresses to the server's `.env` file:
```bash
echo "ADMIN_EMAILS=user@example.com,another@example.com" >> backend/.env.optical
```
(Use emails that match your SSO system, e.g., Azure AD login emails)
2. Create an admin panel endpoint that:
- Verifies the requesting user's email is in `ADMIN_EMAILS`
- Accepts new credential values (API key, secret, tokens)
- Updates the server's `.env` file directly
- Reloads/restarts the application service to apply changes
3. When deploying updates that might overwrite credentials:
```bash
git stash # Save local .env changes (real credentials)
git pull # Get latest from repository
git stash pop # Restore credentials
```
## Key Configuration
```bash
# In backend/.env.optical (server-side only, not in git)
ADMIN_EMAILS=vadym.samoilenko@oliver.agency
API_KEY=<current-valid-key>
API_SECRET=<current-valid-secret>
```
Environment-specific configuration:
- **With Kling integration** (playground branch): `FRONTEND_URL=https://optical-prod.oliver.solutions/lux-studio`
- **Without Kling** (main branch): `FRONTEND_URL=https://ai-sandbox.oliver.solutions/lux-studio`
## Gotchas
- **Git conflicts on pull**: Always `stash` local `.env` changes before pulling, then `stash pop` after. Never commit real credentials to git.
- **Service restart required**: Changes to `.env` don't apply automatically; the backend service must be restarted (systemd, docker, etc.)
- **Email case sensitivity**: Ensure email addresses in `ADMIN_EMAILS` exactly match the SSO system's output (test in auth logs)
- **Multiple admins**: Use comma-separated list without spaces: `ADMIN_EMAILS=user1@example.com,user2@example.com`
## Source
Project: cinema-studio-pro-kling
Reference in a new issue View git blame Copy permalink