Manage Azure Access Keys rotation with Azure Key Vault & Logic Apps
In my latest articles, I did not stop saying that we should not hard code the keys. Especially the access keys. They are required for authentication to a resource. We should always protect them. Microsoft said that we should avoid :
- Distributing them;
- HARD CODING THEM;
- Saving them anywhere in plain text.
If you think that it has been compromised, you should regenerate the keys. Microsoft recommends to regenerate the access keys periodically to keep the resources secure. This operation may affect any application or Azure service that depends on the Access Key.
Keep in mind that if you regenerate an access key the earlier one will be removed.
If we have one or many applications that depends on the access keys, they will be down at the moment when we regenerate a new access key. Why ? I just told you :D.
The question now is how can we assure that our applications stay up even if we regenerate an access key ?
Take a look at the architecture below :
The idea is that instead of the applications being directly dependent on the access keys, They will depend on Azure Key Vault.
Azure Key Vault will be the responsible for the management of the access keys. it must persist the access keys and they should be up to date !
Your applications no longer need to persist your keys or secrets, but can request them from the vault as needed. A key vault allows you to update keys and secrets without affecting the behavior of your application, which opens up a breadth of possibilities for your key and secret management.
Ref : https://docs.microsoft.com/en-us/azure/key-vault/key-vault-key-rotation-log-monitoring
Ok ! but, How can we automatically update the secrets in Azure Key Vault when we regenerate the access keys ?
Azure*(Logic Apps + Key Vault) = Access Keys manager
The idea is simple. When we regenerate an access key, we trigger a Logic App. It will run a workflow to update the Azure Key Vault’s secrets.
Let’s implement this architecture !
Access control
Since we are using three components :
- Azure Service which has the access key (Batch Account Service in my case)
- Azure Key Vault
- Azure Logic Apps
We must assure the connection between these components. Using the managed identity, Azure Logic Apps must have the right to put the secrets inside a Key Vault and to get the access keys from the Azure Service.
First of all, go to your Logic App and create a managed identity.
Once is done, you must give to this managed identity the right to put the secrets in the Key Vault. Go to your Key Vault, click on Access Policies and add it like below :
Then go to the Batch Account, and add the managed identity as contributor :
Cool ! Now our access control is ready. The three components are able to communicate with each other !
Azure Service Side
When we regenerate the access key in an Azure Service (Batch account in my case). We must be able to trigger the Logic App workflow. How to do it ? Easy, we benefit of the Azure Monitor Alerts :D
First, go to the Batch Account Alerts :
Then, add a new alert rule. The condition must be :
The alert logic :
Cool ! Now we must trigger the Logic App, in the Action Group, you must specify the logic app :
The alert must be as below :
That’s all ! The logic App will be triggered once a regeneration event is catched in the activity log !
Azure Logic Apps Side
Azure Logic Apps will be triggered once the access key regeneration is done. It will run the workflow :
The first step is a Trigger. We will run this workflow once we receive an HTTP request from the Alert of the Azure Service (Batch Account in my case).
I use the following schema :
The step must be like:
The second step gets the resource name (the batch account name in my case). I used the split function (available in Logic Apps) to get it from the resourceId.
Split Function :
split(triggerBody()?['data']?['context']?['activityLog']?['resourceId'],'/')[8]
The third step is an HTTP Request used to get the new access key. We send a POST request to :
https://management.azure.com/subscriptions/SUBSCRIPTIONID/resourceGroups/RGNAME/providers/Microsoft.Batch/batchAccounts/BATCHACCOUNTNAME/listKeys?api-version=2018-12-01
Don’t forget to specify the Managed Identity authentication mode.
The fourth step parse the third step output so it can be used in the last step.
Note : The schema depends on the resource used. In my case, it is a batch account that’s why I use this one. You can get the output from the documentation of the REST of the resource used.
The last step updates the secret inside the Key Vault. It is a PUT request that we send to the Key Vault:
Please, don’t forget to use the Managed Identity authentication. Also, the audience must be :
https://vault.azure.netwithout any trailing slash.
That’s all ! you have an application that manages your access keys.
Putting all together : DEMO
Let’s see what it gives. First we regenerate the primary key :
Now that we have the event : Regenerate Batch Account Keys. Azure Logic Apps must run its workflow to update the access key in the Key Vault.
Of course, the key vault secret must be updated :
Bella ciao,
