It has now become a standard to store Secrets, Keys and Certificates into Azure KeyVault for all workloads on Azure - Apps, Data, ML, IoT etc. And with services like Azure DevOps having easy integration with KeyVault - applications can leverage this and securely read Secrets informations from KeyVault and then assign it automatically into their Environment Variables. Alternatively, applications can leverage Azure KeyVault REST API or SDK for respective languages and read, manage Secrets in keyVault. Whereas for Containers using for secrets from KeyVault is now the recommended approach.
While the accessing of Secrets from KeyVaults is one side of it; managing the life cycle of the same is even more important. Every Secret stored in KeyVault ideally should have a defined Expiry and that should not be too near or too far - to keep the System secured as well as reducing the management overhead. Ideal is to have an expiry between 1 year to 2 years.
Now, this is all fine for a set of Applications and Operations team can always go ahead and Create a new version of the secret with extended expiry. But this becomes a challenge when many different set of applications need to be managed and each having Secrets, Keys, Certificates with different expiry dates - an automation of the rotation of secret is imperative!
This document tries to highlight one easy way to achieve this with less or no coding approach.
Create a KeyVault on Azure
Add few Secrets; please note that this document considering Secrets only but same process can be followed for Keys and Certificates as well!
Integrate the KeyVault Events with Azure Event Grid
Push Event Grid Events to the Logic App - which is designed to call Azure KeyVault REST APIs to Create, Manage Secrets
Upon successful Trigger for KeyVault events, Logic App is triggered and eventually update the KeyVault Secret with New Version
on Azure or Use an existing KeyVault
Add few Secrets to the KeyVault
Go to the Events section inside the KeyVault resource
Select Logic App option
This will create a Logic App resource in the portal; keep it as-is for now and we would configure it later. This has been configured for SecretNearExpiry event only; choose the one appropriate as per requirement - viz. SecretExpired
Create a System-assigned Managed Identity for the Logic App. This identity will be used to provide access to the KeyVault resource
Copy the Object ID of the Managed Identity
Select the Azure role assignments option in the same page (as shown above) and provide Key Vault Administrator role to the Logic App
Let us now update the Logic App created earlier so that it can receive Key Vault events and act upon it
KeyVault access and update will be done through REST APIs from Logic App
Add an action - ParseJSON as below
Configure the Http Action by modifying the highlighted parameters as shown below
Update the Http Action as below; please note that the intended secret would be part of the JSON returned by Event Grid trigger and is retuned as a property names subject
Add the new value for the Secret in the Body section
Add Authentication parameters and update as below
Go to Azure Portal and make the selected Key expiry to something near current time
Come back to Azure Logic App resource and see the successful run of Logic App
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.