Update API Secrets

Updates SSM Parameter Store with real API keys after initial CDK deployment.

When to Run

After first CDK deployment (parameters are created with placeholder values)
When rotating API keys
When setting up a new environment

Prerequisites

AWS CLI configured with orcha-prod profile
API keys ready (see Parameters Reference below)

Run

Interactive mode:

cd /home/volrath/code/orcha/infra
./scripts/update-secrets.sh

From environment variables:

export ORCHA_ANTHROPIC_API_KEY="your-anthropic-key"
export ORCHA_GOOGLE_GENAI_API_KEY="your-google-genai-key"
export ORCHA_GOOGLE_CLOUD_PROJECT="your-gcp-project"
export ORCHA_GOOGLE_DOCAI_PROCESSOR_ID="your-processor-id"
# ... set other variables as needed

./scripts/update-secrets.sh --from-env

Verify

aws ssm get-parameters-by-path --profile orcha-prod --region eu-central-1 \
  --path /v1-orcha/ --with-decryption --query 'Parameters[].[Name,Value]' --output table

Parameters Reference

Parameter	Service	Where to Get
`/v1-orcha/anthropic-api-key`	Anthropic Claude	console.anthropic.com -> API Keys
`/v1-orcha/google-genai-api-key`	Google Gemini	Google AI Studio -> API Keys
`/v1-orcha/google-cloud-project`	Google Cloud	Google Cloud Console -> Project ID
`/v1-orcha/google-docai-processor-id`	Google Document AI	Document AI Console -> Processor ID
`/v1-orcha/google-workload-identity-provider`	GCP Workload Identity	Output from `setup-gcp-federation.sh`
`/v1-orcha/google-service-account`	GCP Workload Identity	Output from `setup-gcp-federation.sh`
`/v1-orcha/outlook-client-id`	Microsoft OAuth	Azure Portal -> App Registrations
`/v1-orcha/outlook-client-secret`	Microsoft OAuth	Azure Portal -> App Registrations -> Certificates & secrets
`/v1-orcha/outlook-state-secret`	Internal	Generate with `openssl rand -base64 32`
`/v1-orcha/gmail-client-id`	Google OAuth	Google Cloud Console -> OAuth 2.0 Client IDs
`/v1-orcha/gmail-client-secret`	Google OAuth	Google Cloud Console -> OAuth 2.0 Client IDs
`/v1-orcha/gmail-state-secret`	Internal	Generate with `openssl rand -base64 32`
`/v1-orcha/gmail-pubsub-topic`	Google Pub/Sub	Google Cloud Console -> Pub/Sub -> Topics
`/v1-orcha/gmail-pubsub-subscription`	Google Pub/Sub	Google Cloud Console -> Pub/Sub -> Subscriptions
`/v1-orcha/cognito-google-client-id`	Google OAuth (Auth)	Google Cloud Console -> OAuth 2.0 Client IDs (Orcha Auth app)
`/v1-orcha/cognito-google-client-secret`	Google OAuth (Auth)	Google Cloud Console -> OAuth 2.0 Client IDs (Orcha Auth app)
`/v1-orcha/cognito-microsoft-client-id`	Microsoft OAuth (Auth)	Azure Portal -> App Registrations (Orcha Auth app)
`/v1-orcha/cognito-microsoft-client-secret`	Microsoft OAuth (Auth)	Azure Portal -> App Registrations (Orcha Auth app)
`/v1-orcha/integrations/maesn/api-key`	Maesn (DATEV)	Maesn dashboard -> API Keys
`/v1-orcha/integrations/maesn/api-key-sandbox`	Maesn (DATEV Sandbox)	Maesn dashboard -> API Keys (sandbox)

Notes

Parameters are stored as SecureString (encrypted with AWS KMS)
The account ID parameter (/v1-orcha/account-id) is auto-populated by CDK
Cognito parameters (cognito-user-pool-id, cognito-client-id, cognito-client-secret, cognito-domain) are auto-populated by CDK
The Cognito IdP parameters (cognito-google-*, cognito-microsoft-*) must be set manually from OAuth app setup
Database credentials are stored in Secrets Manager (/v1-orcha/db-credentials), not SSM
Application reads these at runtime via AWS SDK