Concept - Azure Key Vault Life Cycle Management - Part 01
Overview:
Azure Key Vault is a resource for storing and accessing secrets, key and certificates. But if a company need to have a rotation for these identifications? Azure key Vault has the possibility to enable key rotation and auditing, but this needs to be configured and is not a default feature. For those identifications, some specific value items can be used to build a lifecycle process.
In this first part, a concept solution will be provided to detect the expiration date of a secret or key and to inform the IT department or owner of this key.
Azure Key Vault (Preview)
This connector is available in the following products and regions:
Service | Class | Regions |
Logic Apps | Standard | All Logic Apps regions except the following: - Azure Government regions - Azure China regions |
Flow | Premium | All Flow regions except the following: - US Government (GCC) |
PowerApps | Premium | All PowerApps regions except the following: - US Government (GCC) |
Throttling Limits
Name | Calls | Renewal Period |
API Calls per connections | 1000 | 60 seconds |
How-to:
The Flow will connect to the Azure Key Vault via the connector and collect the necessary information to calculated the expiration date that has been set on the secret.
TRIGGER
The trigger for this flow is a schedule that will run every day at midnight. Let's start building the flow:
Select 'Schedule' as a trigger and filling in the following fields:
1-2. Interval - Frequency: based on the selected frequency type, the interval can be set. In this example, a daily schedule is created by selecting the day type and with an interval of 1.
3. Timezone - in this example the timezone UTC +01:00 is used for Belgium.
4. At these hours - the flow will be triggered at midnight, which is the 0 for this field.
ACTIONS
Following actions will be used in the flow:
- Connection to Azure Key Vault to get the information about the secrets in the Key Vault.
- Actions to calculate the days left before the expiration date.
- Send a notification on the number of days left.
Action - 0.2.Get Secrets
Before continuing the flow an app registration needs to be completed in the Azure portal. Go to 'Azure Active Directory', 'App Registrations', 'New registration'
Click add new registration
API Permissions
Register the application and create a secret, go to 'Certificates & Secret'. Create a client secret. Storing the client secret in a safe place, building the flow can be continued. Searching for the 'Azure Key Vault' and selecting the 'List Secret' - action.
Select 'Connect with service principal'
1. Enter a connection name for this connector
2. Enter the name of the Key Vault in Azure. In this example, 'Cloud02KeyVault' has been used.
3 - 4 - 5. The Azure ID can be found in the App registration overview for this connection:
When the connection has been established with the Key Vault in Azure, the connector will be shown as follow in the flow:
Action - 0.3.Check Days
In this apply to each - action, the days left before the expiration date will be calculated for every secret that has been found in the key vault. The value is the result of the step '0.2.Get Secrets', that will contain all the information about the secrets.
Action - 0.3.1.EndTime
Compose action that will collect the Secret end time. (in this example, we assume that there's is always an expiration time defined for each secret).
Action - 0.3.2.Today
Getting the current time and date, by using the Date Time - action.
Action - 0.3.3.TicksToday
In the next two steps, a conversion is needed to define the difference between the current time and expiration time. This can only be accomplished by converting the time to the number of ticks. So that we can subtract both values.
Expression: ticks(body('0.3.2.Today'))
Action - 0.3.3.TicksToday
Expression: ticks(outputs('0.3.1.Endtime'))
Action - 0.3.5.DivDays
In the compose - action, a calculation will be done to get the days between the current and expiration date.
Expression: div(sub(outputs('0.3.4.TicksEndTime'),outputs('0.3.3.TicksToday')),864000000000)
This result will show the number of days left between the current day and expiration time.
Action - 0.3.6.Check WARNING Lvl
In this example, a WARNING message will be sent via email when the day difference is between 16 and 30 days. Is it lower then 16 days a CRITICAL message will be sent via email.
Result of this concept is that there is a kind of monitoring for a secret in the Azure Key Vault. Letting you build a Life Cycle Management for your secrets.
Upcoming parts:
- Adding an expiration date (Azure Automation), when there's no defined
- Approval process to check if a secret is still in use.
Did you like this post?! Please share it on Twitter, give some Kudos, or leave some feedback! 😁
Thanks for reading!
Comments
-
Concept - Azure Key Vault Life Cycle Management - Part 01
"List Secrets" step returns only 25 records. How can we overcome this issue and return all the secrets?
*This post is locked for comments