It has now become a standard to store Secrets, Keys and Certificates into Azure KeyVault for all workloads on Azure - Apps, Data, ML, IoT etc. And with services like Azure DevOps having easy integration with KeyVault - applications can leverage this and securely read Secrets informations from KeyVault and then assign it automatically into their Environment Variables. Alternatively, applications can leverage Azure KeyVault REST API or SDK for respective languages and read, manage Secrets in keyVault. Whereas for Containers using CSI Storage drivers for secrets from KeyVault is now the recommended approach.
While the accessing of Secrets from KeyVaults is one side of it; managing the life cycle of the same is even more important. Every Secret stored in KeyVault ideally should have a defined Expiry and that should not be too near or too far - to keep the System secured as well as reducing the management overhead. Ideal is to have an expiry between 1 year to 2 years.
Now, this is all fine for a set of Applications and Operations team can always go ahead and Create a new version of the secret with extended expiry. But this becomes a challenge when many different set of applications need to be managed and each having Secrets, Keys, Certificates with different expiry dates - an automation of the rotation of secret is imperative!
This document tries to highlight one easy way to achieve this with less or no coding approach.
What are we going to Build?
Create a KeyVault on Azure
Add few Secrets; please note that this document considering Secrets only but same process can be followed for Keys and Certificates as well!
Integrate the KeyVault Events with Azure Event Grid
Push Event Grid Events to the Logic App - which is designed to call Azure KeyVault REST APIs to Create, Manage Secrets
Upon successful Trigger for KeyVault events, Logic App is triggered and eventually update the KeyVault Secret with New Version
Go to the Events section inside the KeyVault resource
Select Logic App option
This will open the Logic App Designer with Event Grid Connector
Please follow the on-screen instructions to configure the Event Grid Connector for the Logic App; and then finally Save it
This will create a Logic App resource in the portal; keep it as-is for now and we would configure it later. This has been configured for SecretNearExpiry event only; choose the one appropriate as per requirement - viz. SecretExpired
Create a System-assigned Managed Identity for the Logic App. This identity will be used to provide access to the KeyVault resource
Copy the Object ID of the Managed Identity
Select the Azure role assignments option in the same page (as shown above) and provide Key Vault Administrator role to the Logic App
Go to the Access Policy section of the KeyVault and provide access to the Object ID of the Managed Identity copied earlier. Please note all options have been selected here only for demonstration purpose; please select the most appropriate one fro the application
Go to Azure KeyVault and view the Event Grid integration that has been created automatically
Configure Logic App
Let us now update the Logic App created earlier so that it can receive Key Vault events and act upon it
KeyVault access and update will be done through REST APIs from Logic App