Build a Secret Rotation Workflow with Orkes Conductor
This tutorial demonstrates how to build a workflow that automatically refreshes an expiring access token and updates a stored secret in Orkes Conductor. This approach is useful when your workflows call external APIs that require short-lived tokens. We utilize an HTTP task to fetch a new token and an Update Secret task to store it securely.
In this tutorial, you will:
- Retrieve a new token from an external API using an HTTP task.
- Securely update the stored secret using the Update Secret task.
- Schedule the workflow to run periodically so that tokens refresh automatically.
The secret rotation workflow
Before you begin, create the following secrets in Orkes Conductor.
- appKeyId — The permanent application key used to request a token.
- appKeySecret — The permanent application secret used to authenticate the token request.
- my_secret_holding_a_token — The secret that will hold the refreshed access token.
Step 1: Configure secrets in Orkes Conductor
- Go to Definitions > Secrets from the left navigation menu on your Conductor cluster.
- Select + Add secret.
- In the Secret name, enter appKeyId, and in the Secret value, enter the actual ID.
- Select Add.
Repeat the process to create two more secrets, appKeySecret and my_secret_holding_a_token.
Step 2: Create a workflow in Orkes Conductor
Create the workflow that retrieves a new token and updates the stored secret.
To create a workflow:
- Go to Definitions > Workflow from the left navigation menu on your Conductor cluster.
- Select + Define workflow.
- In the Code tab, paste the following code:
{
"name": "update_rotate_secrets_tracker_app",
"description": "Workflow to retrieve and update secrets",
"version": 1,
"tasks": [
{
"name": "retrieve_token",
"taskReferenceName": "retrieve_token",
"inputParameters": {
"uri": "<YOUR_TOKEN_API_ENDPOINT>",
"method": "POST",
"accept": "application/json",
"contentType": "application/json",
"body": {
"keyId": "${workflow.secrets.appKeyId}",
"keySecret": "${workflow.secrets.appKeySecret}"
},
"outputFilter": {
"_secrets": {
"token": "$${retrieve_token.output.response.body.token}"
}
}
},
"type": "HTTP"
},
{
"name": "update_secret_task",
"taskReferenceName": "update_secret_task_ref",
"inputParameters": {
"_secrets": {
"secretKey": "my_secret_holding_a_token",
"secretValue": "${retrieve_token.output._secrets.token}"
}
},
"type": "UPDATE_SECRET"
}
],
"schemaVersion": 2
}
- Select Save > Confirm.
Replace <YOUR_TOKEN_API_ENDPOINT> with your actual API endpoint that issues an access token. If the endpoint is private or not publicly accessible, ensure that your Conductor cluster can reach it through the correct integration or proxy.
This workflow retrieves a new token from your API and automatically updates the stored secret. The HTTP task calls your token endpoint using credentials stored as secrets. The response is filtered with _outputFilters to extract only the token value, which is then masked under _secrets to keep it hidden in logs.
The Update Secret task uses this masked value to update the secret with the refreshed token securely.
Step 3: Create a schedule in Orkes Conductor
Configure a schedule to run the workflow at regular intervals, ensuring that tokens are automatically renewed before expiration.
You have successfully built a workflow that automates secret rotation in Orkes Conductor.
By combining the HTTP and Update Secret tasks, your workflow can refresh access tokens and securely update stored secrets without manual intervention.
You can further extend this workflow by adding notification or monitoring steps to track token refresh status or errors.