Azure Key Vault life cycle management – Part 1

The What?

Azure Key Vault is a resource for storing and accessing secrets, key and certificates. But if a company need to have a rotation for these identifications? Azure key Vault has the possibility to enable key rotation and auditing, but this needs to be configured and is not a default feature. For those identifications, some specific value items can be used to build a life cycle process. 

In this first part, a concept solution will be provided to detect the expiration date of a secret or key and to inform the IT department or owner of this key.

Azure Key Vault (Preview)

Service Class Regions
Logic Apps Standard All Logic Apps regions except the following:
     –   Azure Government regions
     –   Azure China regions
Flow Premium All Flow regions except the following:
     –   US Government (GCC)
PowerApps Premium All PowerApps regions except the following:
     –   US Government (GCC)

Throttling Limits

Name Calls Renewal Period
API Calls per connections 100060 seconds

The How-to:

The Flow will connect to the Azure Key Vault via the connector and collect the necessary information to calculated the expiration date that has been set on the secret.

Trigger

The trigger for this flow is a schedule that will run every day at midnight. Let’s start building the flow:

Select ‘Schedule’ as a trigger and filling in the following fields:

1-2. Interval – Frequency: based on the selected frequency type, the interval can be set. In this example, a daily schedule is created by selecting the day type and with an interval of 1.
3. Timezone – in this example the timezone UTC +01:00 is used for Belgium.
4. At these hours – the flow will be triggered at midnight, which is the 0 for this field.  

Actions

Following actions will be used in the flow:

  •  Connection to Azure Key Vault to get the information about the secrets in the Key Vault.
  •  Actions to calculate the days left before the expiration date.
  •  Send a notification on the number of days left.

Action – 0.2.Get Secrets

Before continuing the flow an app registration needs to be completed in the Azure portal. Go to ‘Azure Active Directory’, ‘App Registrations’, ‘New registration’

Click add new registration
API Permissions

Register the application and create a secret, go to ‘Certificates & Secret’. Create a client secret. Storing the client secret in a safe place, building the flow can be continued. Searching for the ‘Azure Key Vault’ and selecting the ‘List Secret’ – action.

Select ‘Connect with service principal’

1. Enter a connection name for this connector
2. Enter the name of the Key Vault in Azure. In this example, ‘Cloud02KeyVault’ has been used.
3 – 4 – 5. The Azure ID can be found in the App registration overview for this connection:

When the connection has been established with the Key Vault in Azure, the connector will be shown as follow in the flow: 

Action – 0.3.Check Days

In this apply to each – action, the days left before the expiration date will be calculated for every secret that has been found in the key vault. The value is the result of the step ‘0.2.Get Secrets’, that will contain all the information about the secrets.

Action – 0.3.1.EndTime

Compose action that will collect the Secret end time. (in this example, we assume that there’s is always an expiration time defined for each secret).

Action – 0.3.2.Today

Getting the current time and date, by using the Date Time – action. 

Action – 0.3.3.TicksToday

In the next two steps, a conversion is needed to define the difference between the current time and expiration time. This can only be accomplished by converting the time to the number of ticks. So that we can subtract both values.

Expression: ticks(body(‘0.3.2.Today’))

Action – 0.3.3.TicksToday 

Expression: ticks(outputs(‘0.3.1.Endtime’))

Action – 0.3.5.DivDays

In the compose – action, a calculation will be done to get the days between the current and expiration date.
Expression: div(sub(outputs(‘0.3.4.TicksEndTime’),outputs(‘0.3.3.TicksToday’)),864000000000)

This result will show the number of days left between the current day and expiration time. 

Action – 0.3.6.Check WARNING Lvl

In this example, a WARNING message will be sent via email when the day difference is between 16 and 30 days. Is it lower then 16 days a CRITICAL message will be sent via email. 

Result of this concept is that there is a kind of monitoring for a secret in the Azure Key Vault. Letting you build a Life Cycle Management for your secrets.

Upcoming parts:

  •  Adding an expiration date (Azure Automation), when there’s no defined
  •  Approval process to check if a secret is still in use.

Did you like this post share it on twitter, give some thumbs up and all feedback is welcome.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.