question

KaizheZheng-1489 avatar image
0 Votes"
KaizheZheng-1489 asked JamesTran-MSFT edited

How to create a policy to force enabling of key rotation in Azure KV?

Hello community,

Are there any custom or built-in policies targeting the key rotation policy inside an Azure Key Vault. Since the rotation policy feature has been added lately, I suspect that there aren't any built-in policies yet. I'm trying to create a custom policy to force enabling the key rotation feature for new keys. In other words, the 'Enable auto rotation' button below should be ticked when creating a new key.

199544-image.png


But I haven't found the right mode. I think it should be Microsoft.KeyVault.Data and for a similar policy 'Key Vault keys should have an expiration date' the target is Microsoft.KeyVault.Data/vaults/keys/attributes.expiresOn but what would it be for the key rotation feature?

Thanks and best regards!

azure-key-vault
image.png (26.4 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@KaizheZheng-1489
Thank you for your post and I apologize for the delayed response!

When it comes to a custom or built-in policy specifically targeting the Enable Auto Rotation option, I wasn't able to find any documentation on this. But I did notice that the Rotation Policy was referred to as LifetimeActions or rotationPolicy within the JSON file and ARM Template, so you could try referencing that within your Azure Policy.
204852-image.png


Additional Links:
Key Vault Built-in Policy Definitions


I've also reached out to our Key Vault engineering team to see if they can provide any additional insights on whether or not creating a custom policy to enforce key rotation is possible. Since the Microsoft.KeyVault.Data mode is only allowed for use within built-in policy definitions.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·
image.png (25.2 KiB)

Thanks a lot for your reply! I will try it out. Please keep me updated!

0 Votes 0 ·

1 Answer

JamesTran-MSFT avatar image
1 Vote"
JamesTran-MSFT answered

@KaizheZheng-1489
Thank you for your time and patience on this!

I received a response from our KV team and since the AKV Key auto rotation feature is fairly new, it has yet to onboard to Azure Policies but is on the roadmap. Since there's currently no option to leverage Azure Policies for the key rotation, I've created an internal feature request, so our engineering team is aware of the demand for this feature.

Additional Link:
Azure User Voice Forum
How to configure automatic key rotation (preview) in Azure Key Vault


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.