Skip to content
Runbooks

Secret Revocation Service

Logging

Section titled “Logging”

Summary

Section titled “Summary”

Secret Revocation (secret-revocation) is a Runway-based workload/deployment that is a part of the Secret Revocation Service.

It runs the service in the API (default) mode, and serves a number of API endpoints that are used by the monolith to inform partner APIs of leaked tokens to revoke. When a token is received, the appropriate handler is identified, and message is created and published to the corresponding Google PubSub topic, which are then picked up the Worker workload to send the actual revocation requests to partner APIs.

This service is currently used by “Automatic Response to Leaked Secrets” feature, and is maintained by the AST:Secret Detection team.

The source code repository for both services (API and Worker) is available here and the runway deployment configuration are located in:

Architecture

Section titled “Architecture”

Check the documentation for a high-level architecture.

More details about the end-to-end workflow can also be found here.

Scalability

Section titled “Scalability”

This service is deployed using Runway and its scaling is handled by Cloud Run and configured as part of Runway deployment (see documentation).

Availability

Section titled “Availability”

Both workloads are publicly accessible because each require some external interaction whether ingress or egress. They’re deployed in us-east1 region.

Monitoring/Alerting

Section titled “Monitoring/Alerting”

The service is deployed using Runway and Runway packs built-in observability, particularly monitoring stack. Default Runway metrics for the service is available at Runway Service Metrics dashboard.

Section titled “Links to further Documentation”

Old Service (SecAuto)

Section titled “Old Service (SecAuto)”

New Service (AST:Secret Detection / on Runway)

Section titled “New Service (AST:Secret Detection / on Runway)”