Issue
I want to follow security best practices for rotating my add-on's credentials but I am unsure how.
Resolution
To update your add-on manifest password and sso_salt, follow the steps in this article: https://devcenter.heroku.com/articles/add-on-manifest#updating-a-manifest.
If your add-on service adds config vars containing sensitive values (secrets, API keys, auth tokens, etc.) to customers’ apps, follow the steps in this article to rotate credentials for all sensitive config var values for all apps that have installed your add-on: https://devcenter.heroku.com/articles/implementing-cred-rolls-as-an-add-on-partner.
If your add-on service processes application logs (i.e., declares syslog_drain in the requires section of the manifest), and your log drain URLs contain sensitive information (secrets, credentials, tokens, etc.), follow these steps to rotate log drain URLs:
- If your add-on uses the Platform API for Partners (https://devcenter.heroku.com/articles/platform-api-for-partners), use the Log Drain Update endpoint as described in this article: https://devcenter.heroku.com/articles/platform-api-reference#log-drain-update.
- If your add-on uses the Legacy App Info API (https://devcenter.heroku.com/articles/add-on-app-info), use the legacy Log Drain Update endpoint as described in this article: https://devcenter.heroku.com/articles/add-on-app-info#log-drain-update.