Blog Post

Azure Integration Services Blog
3 MIN READ

Automate Secret Rotation in Key Vault

monojit18's avatar
monojit18
Icon for Microsoft rankMicrosoft
Apr 05, 2022

Introduction

It has now become a standard to store Secrets, Keys and Certificates into Azure KeyVault for all workloads on Azure - Apps, Data, ML, IoT etc. And with services like Azure DevOps having easy integration with KeyVault - applications can leverage this and securely read Secrets informations from KeyVault and then assign it automatically into their Environment Variables. Alternatively, applications can leverage Azure KeyVault REST API or SDK for respective languages and read, manage Secrets in keyVault. Whereas for Containers using CSI Storage drivers for secrets from KeyVault is now the recommended approach.

While the accessing of Secrets from KeyVaults is one side of it; managing the life cycle of the same is even more important. Every Secret stored in KeyVault ideally should have a defined Expiry and that should not be too near or too far - to keep the System secured as well as reducing the management overhead. Ideal is to have an expiry between 1 year to 2 years.

Now, this is all fine for a set of Applications and Operations team can always go ahead and Create a new version of the secret with extended expiry. But this becomes a challenge when many different set of applications need to be managed and each having Secrets, Keys, Certificates with different expiry dates - an automation of the rotation of secret is imperative!

This document tries to highlight one easy way to achieve this with less or no coding approach.

 

What are we going to Build?

 

  • Create a KeyVault on Azure

  • Add few Secrets; please note that this document considering Secrets only but same process can be followed for Keys and Certificates as well!

  • Integrate the KeyVault Events with Azure Event Grid

  • Push Event Grid Events to the Logic App - which is designed to call Azure KeyVault REST APIs to Create, Manage Secrets

  • Upon successful Trigger for KeyVault events, Logic App is triggered and eventually update the KeyVault Secret with New Version

 

Action

 

Create Resources

 

  • Create a KeyVault on Azure or Use an existing KeyVault

  • Add few Secrets to the KeyVault

 

 

 

  • Go to the Events section inside the KeyVault resource

  • Select Logic App option

 

 

  • This will open the Logic App Designer with Event Grid Connector

 

  • Please follow the on-screen instructions to configure the Event Grid Connector for the Logic App; and then finally Save it

 

 

  • This will create a Logic App resource in the portal; keep it as-is for now and we would configure it later. This has been configured for SecretNearExpiry event only; choose the one appropriate as per requirement - viz. SecretExpired

  • Create a System-assigned Managed Identity for the Logic App. This identity will be used to provide access to the KeyVault resource

 

 

  • Copy the Object ID of the Managed Identity

  • Select the Azure role assignments option in the same page (as shown above) and provide Key Vault Administrator role to the Logic App

 

  • Go to the Access Policy section of the KeyVault and provide access to the Object ID of the Managed Identity copied earlier. Please note all options have been selected here only for demonstration purpose; please select the most appropriate one fro the application

 

 

  • Go to Azure KeyVault and view the Event Grid integration that has been created automatically

 

Configure Logic App

  • Let us now update the Logic App created earlier so that it can receive Key Vault events and act upon it

  • KeyVault access and update will be done through REST APIs from Logic App

  • KeyVault Set Secret

  • Add an action - ParseJSON as below

 

 

  • Add a new Http Action

 

 

  • Configure the Http Action by modifying the highlighted parameters as shown below

  • Update the Http Action as below; please note that the intended secret would be part of the JSON returned by Event Grid trigger and is retuned as a property names subject

 

 

  • Add the new value for the Secret in the Body section

  • Add Authentication parameters and update as below

 

 

Test the flow

  • Go to Azure Portal and make the selected Key expiry to something near current time

  • Come back to Azure Logic App resource and see the successful run of Logic App

 

  • Go to Azure KeyVault resource and check that a New Version is created

 

 

References

 

 

 

Updated Apr 05, 2022
Version 2.0