all Technical posts

Key Rotation in Azure Applications

In this article we will see a pragmatic approach to automatically rotate keys and secrets in Azure environments.

What is key rotation?

Key rotation is a widely used term to define scenario when you need to inject new passwords, secrets, or keys to your DevOps and Application configurations because your older Service accounts’ passwords, AAD App registrations’ secrets, or SAS keys are about to be expired.

Approach

  1. Send notifications to app owners and third parties about approaching credential expire.
  2. Generate new version of secrets, keys, or passwords and set them as active.
  3. Send notifications to app owners and third parties about the new versions of credentials available.
  4. Update DevOps configuration store and Key-vaults with the new credentials. You can overwrite or disable the older versions.
  5. Upcoming releases will automatically have the latest credentials and for the rest you’ll need to manually run release pipeline.
  6. Make sure you update new credentials in all applications and third parties before the older one expires. Hence its very important have sufficient time between “approaching credentials expiry” and “credentials expired” stages.

Implementation

For this key rotation strategy implementation, you can consider the following infrastructure setup as an example:

  • All the credentials must be stored in a Key-vault with expiry dates.
  • Near Expiry events must be enabled on the Key-vault.
  • Release pipelines and applications must read all the credentials from the Key-vault and should not store them locally.
  • Subscribe to “near expiry” events using event grid. Use logic app or function app to handle the events.
  • Choose PowerShell function as the handler. This event handler will be the heart of your key-rotation. It can:

1) Notify to relevant people about expiry is approaching

2) Generate new secret for AAD App registration

New-AzADAppCredential -ObjectId $app.-ObjectId -Password $secretvalue -StartDate $NBF -EndDate $Expires

3) Add new version of the secret in the Key-vault

Set-AzKeyVaultSecret -VaultName $vaultName -Name $secretName -SecretValue $secretvalue -Expires $Expires -NotBefore $NBF

4) Disable the older version of the secret in the Key-vault

Update-AzKeyVaultSecret -VaultName $vaultName -Name $secretName -Version $oldSecret.Version -Enable 0

5) Update hardcoded secrets in your logic apps

$resourceGroupName = (Get-AzResource -ResourceId $la.Id).ResourceGroupName
$la.Parameters[‘APIM.ClientSecret’].Value = $secretvalue
Set-AzLogicApp -ResourceGroupName $resourceGroupName -Name $la.Name -Definition $la.Definition -Parameters $la.Parameters

Note: In my opinion multiple functions should be used to define this whole mechanism (ideally separate function for each task).

Conclusion

Basically the whole process of key-rotation is a collection of tasks under an orchestrator. These tasks are based on your specific scenario and the orchestrator is there to orderly automate those tasks for you. I have chosen to use Event Grid to manage the events and PowerShell Function App as an orchestrator, but you can choose anything right from Logic Apps to Azure Automation.

I hope these tips will help you to define your key-rotation implementation. Feel free to reach out if you have any questions.

 

Subscribe to our RSS feed

Thanks, we've sent the link to your inbox

Invalid email address

Submit

You will receive the White Paper in your mailbox. Don’t hesitate to contact us for more information.

Stay in Touch - Subscribe to Our Newsletter

Keep up to date with industry trends, events and the latest customer stories

Invalid email address

Submit

Great you’re on the list!