What is key rotation?
Key rotation is a widely used term to define scenario when you need to inject new passwords, secrets, or keys to your DevOps and Application configurations because your older Service accounts’ passwords, AAD App registrations’ secrets, or SAS keys are about to be expired.
Approach
- Send notifications to app owners and third parties about approaching credential expire.
- Generate new version of secrets, keys, or passwords and set them as active.
- Send notifications to app owners and third parties about the new versions of credentials available.
- Update DevOps configuration store and Key-vaults with the new credentials. You can overwrite or disable the older versions.
- Upcoming releases will automatically have the latest credentials and for the rest you’ll need to manually run release pipeline.
- Make sure you update new credentials in all applications and third parties before the older one expires. Hence its very important have sufficient time between “approaching credentials expiry” and “credentials expired” stages.
Implementation
For this key rotation strategy implementation, you can consider the following infrastructure setup as an example:
- All the credentials must be stored in a Key-vault with expiry dates.
- Near Expiry events must be enabled on the Key-vault.
- Release pipelines and applications must read all the credentials from the Key-vault and should not store them locally.
- Subscribe to “near expiry” events using event grid. Use logic app or function app to handle the events.
- Choose PowerShell function as the handler. This event handler will be the heart of your key-rotation. It can:
1) Notify to relevant people about expiry is approaching
2) Generate new secret for AAD App registration
New-AzADAppCredential -ObjectId $app.-ObjectId -Password $secretvalue -StartDate $NBF -EndDate $Expires
3) Add new version of the secret in the Key-vault
Set-AzKeyVaultSecret -VaultName $vaultName -Name $secretName -SecretValue $secretvalue -Expires $Expires -NotBefore $NBF
4) Disable the older version of the secret in the Key-vault
Update-AzKeyVaultSecret -VaultName $vaultName -Name $secretName -Version $oldSecret.Version -Enable 0
5) Update hardcoded secrets in your logic apps
$resourceGroupName = (Get-AzResource -ResourceId $la.Id).ResourceGroupName
$la.Parameters[‘APIM.ClientSecret’].Value = $secretvalue
Set-AzLogicApp -ResourceGroupName $resourceGroupName -Name $la.Name -Definition $la.Definition -Parameters $la.Parameters
Note: In my opinion multiple functions should be used to define this whole mechanism (ideally separate function for each task).
Conclusion
Basically the whole process of key-rotation is a collection of tasks under an orchestrator. These tasks are based on your specific scenario and the orchestrator is there to orderly automate those tasks for you. I have chosen to use Event Grid to manage the events and PowerShell Function App as an orchestrator, but you can choose anything right from Logic Apps to Azure Automation.
I hope these tips will help you to define your key-rotation implementation. Feel free to reach out if you have any questions.
Subscribe to our RSS feed