question

RajNair avatar image
0 Votes"
RajNair asked JamesTran-MSFT commented

Service Principal Secret Expiration - Automation

This is a design question

Right now when service principal credentials are expired, we have to (1) Regenerate (2) Update the same in keyvault (3) Update the same in wherever the SPN is used. Right now i am doing this manually for each SPN. Is there anyway we can automate this activity? What is the best approach to handle this situation. I have unfortunately 50+ SPN.


azure-active-directoryazure-key-vault
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MOXiMOX-2301 avatar image
0 Votes"
MOXiMOX-2301 answered

You don't say where you use the key vault. But have you considered devoid release management to handle the updating.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndriyBilous avatar image
1 Vote"
AndriyBilous answered JamesTran-MSFT commented

Hello @RajNair

Here is an approach of how to automate the rotation of a secret:
- Thirty days before the expiration date of a secret, Key Vault publishes the near expiry event to Event Grid.
- Event Grid checks the event subscriptions and uses HTTP POST to call the function app endpoint that's subscribed to the event.
- An Azure Function is used with managed identity to rotate service principal keys.
- An Azure Function adds the new regenerated key to Azure Key Vault as the new version of the secret.

203634-image.png

https://abschmidt.medium.com/rotating-service-principal-secrets-automatically-in-azure-key-vault-c4f04a84c9af

https://docs.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation-dual?tabs=azure-cli



If you think your question has been answered, click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.



image.png (82.1 KiB)
image.png (82.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RajNair
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·