Next, you'll create a function app with a system-managed identity, in addition to other required components. Vaultrotationstorage2 vaultrotation westus Microsoft.Storage/storageAccountsĬreate and deploy the key rotation function Vaultrotationstorage vaultrotation westus Microsoft.Storage/storageAccounts Vaultrotation-kv vaultrotation westus Microsoft.KeyVault/vaults The result will look something like this output: Name ResourceGroup Location Type Status Get-AzResource -Name 'vaultrotation*' | Format-Table You can verify this setup in the Azure CLI or Azure PowerShell by running this command:Īz resource list -o table -g vaultrotation You'll now have a key vault and two storage accounts. Name the group vaultrotation and then select OK. You can use this deployment link if you don't have an existing key vault and existing storage accounts: This tutorial is using portal Cloud Shell with PowerShell env The function app adds the new regenerated key to Azure Key Vault as the new version of the secret.The function app identifies the alternate key (not the latest one) and calls the storage account to regenerate it.Event Grid checks the event subscriptions and uses HTTP POST to call the function app endpoint that's subscribed to the event.Thirty days before the expiration date of a secret, Key Vault publishes the near expiry event to Event Grid.The solution provides the application's entire rotation cycle to refresh to the newest regenerated key. When one access key is stored in the latest version of the secret, the alternate key is regenerated and added to Key Vault as the new latest version of the secret. In this solution, Azure Key Vault stores storage account individual access keys as versions of the same secret, alternating between the primary and secondary key in subsequent versions. Here's the rotation solution described in this tutorial: For that scenario, we recommend this solution. There are services that require storage account connection strings with access keys. Storage account keys can be automatically managed in Key Vault if you provide shared access signature tokens for delegated access to the storage account.
0 kommentar(er)
