Skip to main content

Revoke auth0 kubeconfig access token

Use this runbook if we make changes to the Auth0 authorisation process and require users to re-authenticate and use a new config to access the cluster.

1. Revoke existing tokens generated from github

GitHub is being used as an OIDC provider. Once you’ve logged in to GitHub, it provides an ID token(valid for 10 hours), which is a signed JWT containing your GitHub username and a a list of teams you’re in.

To revoke the tokens you need MOJ organisation administrator access, if you are not a Github admin request some one in the team who are Github admin to do it for you.

Once you logged in as MOJ github Organization administrator, go into settings, select developer settings and Oauth Apps and search for “MOJ Cloud Platforms Auth0 (prod)”

Click on the “Revoke all user tokens” button, this will force users to reauthenticate to get a new token.

2. Recreate ​​auth0_client.kubernetes

Follow below steps to recreate auth0_client.kubernetes to make users unauthorised using existing token/config.

1) Taint resources (terraform)

Go to cloud-platform-infrastructure/terraform/aws-accounts/cloud-platform-aws/vpc/eks directory and run

$ terraform workspace select live
$ terraform taint module.auth0.auth0_client.kubernetes

Make sure with terraform plan that auth0 resource is going to be recreated and aws eks identity provider associates with the new auth0 kubernetes client.

Apply changes if you are happy with them:

$ terraform apply

This will create a new auth0 kubernetes client and use the newly created kubernetes client information to associate oidc in aws eks identity provider config.

Note: Associating oidc process takes around 35 minutes.

2) Apply changes within components (terraform)

Execute terraform plan inside cloud-platform-infrastructure/terraform/aws-accounts/cloud-platform-aws/vpc/eks/core/components directory to ensure changes match kuberos resource, if they do, apply them:

$terraform workspace select live
$terraform plan
$ terraform apply -target=module.kuberos

3) Verifiying changes

In order to verify that the changes were successfully applied

  • You can authenticate to the cluster (follow user guide)

Ensure users are aware of the change. It is important to point out that they will have to reauthenticate against the cluster after the change (following user guide).

This page was last reviewed on 10 April 2024. It needs to be reviewed again on 10 July 2024 by the page owner #cloud-platform .
This page was set to be reviewed before 10 July 2024 by the page owner #cloud-platform. This might mean the content is out of date.