Configuring Key rotation

  1. Home
  2. Configuring Key rotation

Go back to AZ-500 Tutorials

In this tutorial, we will learn and understand how to automate the periodic rotation of secrets for databases and services that use two sets of authentication credentials. We’ll talk about how to make account key rotation functions. This tutorial, on the other hand, uses a function called by an Azure Event Grid notification to rotate Azure Storage account keys stored in Azure Key Vault as secrets.

Azure Key rotation storage
Image Source: Microsoft

Azure Key Vault saves individual Storage Account access keys as versions of the same secret in the aforementioned approach, switching between primary and secondary keys in future versions. The alternate key is regenerated and added to Key Vault as a new version of the secret since one access key is saved in the latest version of the secret. That method allows apps to refresh to the most recent regenerated key throughout the duration of the rotation cycle.

Prerequisites
  • Firstly, must have an Azure subscription. 
  • Secondly, Azure Key Vault.
  • Thirdly, two Azure Storage Accounts

However, if you don’t have existing key vault and storage accounts then:

  • Firstly, under the Resource group, select Create new and name the group akvrotation and click Ok.
  • Secondly, select Review+Create.
  • Thirdly, select Create.

Now, you’ll have a key vault, and two storage accounts. Here, you can verify this setup in the Azure CLI by running the command:

Azure CLI

az resource list -o table -g akvrotation

The output result will be like:

Console

Name                     ResourceGroup         Location    Type                               Status

———————–  ——————–  ———-  ———————————  ——–

akvrotation-kv         akvrotation      eastus      Microsoft.KeyVault/vaults

akvrotationstorage     akvrotation      eastus      Microsoft.Storage/storageAccounts

akvrotationstorage2    akvrotation      eastus      Microsoft.Storage/storageAccounts

Creating and deploying storage account key rotation function

Next, create a function app with a system-managed identity, in addition to the other required components, and deploy storage account key rotation functions

However, the function app rotation functions require these components and configuration:

  • Firstly, an Azure App Service plan
  • Then, a storage account required for function app trigger management
  • Next, an access policy to access secrets in Key Vault
  • Fourthly, assign Storage Account Key Operator Service role to function app to access storage Account access keys
  • After that, storage Account key rotation functions with event trigger and http trigger (on-demand rotation)
  • Lastly, eventGrid event subscription for SecretNearExpiry event
  1. Firstly, select the Azure template deployment link.
  2. Secondly, in the Resource group list, select akvrotation.
  3. Thirdly, in the Storage Account Name, type the storage account name with access keys to rotate
  4. Fourthly, in the Key Vault Name, type the key vault name
  5. Then, in the Function App Name, type the function app name
  6. Next, in the Secret Name, type secret name where access keys would be stored
  7. After that, in the Repo Url, type function code GitHub location (https://github.com/jlichwa/KeyVault-Rotation-StorageAccountKey-PowerShell.git)
  8. Then, select Review+Create.
  9. Lastly, select Create

After completing the preceding steps, you’ll have a storage account, a server farm, a function app, application insights.

AZ-500 practice tests

Adding Storage Account access key to Key Vault

  • Firstly, set your access policy to grant manage secrets permissions to users:

Azure CLI

az keyvault set-policy –upn <email-address-of-user> –name akvrotation-kv –secret-permissions set delete get list

Now, you can create a new secret with a Storage Account access key as value. However, you will also require the Storage Account resource ID, secret validity period, and the key ID to add to secret. So the rotation function can regenerate keys in the Storage Account.

  • Retrieving Storage Account resource ID. Value can be found under id property

Azure CLI

az storage account show -n akvrotationstorage

  • Listing the Storage Account access keys to retrieve key values

Azure CLI

az storage account keys list -n akvrotationstorage 

  • Populating retrieved values for key1Value and storageAccountResourceId

Azure CLI

$tomorrowDate = (get-date).AddDays(+1).ToString(“yyy-MM-ddThh:mm:ssZ”)

az keyvault secret set –name storageKey –vault-name akvrotation-kv –value <key1Value> –tags “CredentialId=key1” “ProviderAddress=<storageAccountResourceId>” “ValidityPeriodDays=60” –expires $tomorrowDate

However, creating a secret with a short expiration date will publish a SecretNearExpiry event within several minutes. Further, this will trigger the function to rotate the secret. Now, you can verify that access keys are regenerated by retrieving and comparing Storage Account keys and Key Vault secrets.

Adding additional Storage Accounts for rotation

Same function app can be reused for rotating multiple Storage Accounts. However, adding additional storage account keys for rotation to existing function requires:

  • Assigning Storage Account Key Operator Service role to function app to access Storage Account access keys
  • EventGrid event subscription for SecretNearExpiry event
    • Firstly, select the Azure template deployment link.
    • Secondly, in the Resource group list, select akvrotation.
    • Thirdly, in the Storage Account Name, type the storage account name with access keys to rotate
    • Fourthly, in the Key Vault Name, type the key vault name
    • Then, in the Function App Name, type the function app name
    • After that, in the Secret Name, type secret name where access keys would be stored
    • Next, select Review+Create.
    • Lastly, select Create
Az-500 online course

Reference: Microsoft Documentation

Go back to AZ-500 Tutorials

Menu