In order to configure PagerDuty using Infrastructure as Code, we must use an Access Key. Regardless of it being a General Access or a User-scoped key, those are secrets and should follow general best practices.
One such practice is frequent-enough secret rotation. Unfortunately, there doesn’t seem to exist an API for the creation of such keys. This means the rotation has to rely on a human manually re-creating the secrets through the UI.
To make matters worse, PagerDuty doesn’t yet seem to support fine-grained access keys. (i.e. Team-scoped API key - Feature Requests - PagerDuty Connected) The unbounded blast radius of such a hypothetical leak makes us even more inclined to want to rotate it frequently.
In an ideal world, we could envision:
- One “admin”, heavily guarded API Key which would be used to create and rotate configuration / service API Keys
- Scoped (team / service) Api Keys that can be used to configure services, but not create other Keys.
Note that it’d acceptable to manually rotate the “admin” Key through the UI. By holding it to stricter safety protocols, we can balance the longer rotation intervals.
For the interim, is there a workaround?