Automating key rotations for resources used in an application

Question

I am working on an application which centers around a function app which interfaces with a handful of resources. These resources all have their own keys and connection strings, which are stored in a key vault. The function app accesses the key vault's contents with a managed identity.

I would like to minimize the amount of future administrative work caused by having to regenerate those keys and putting the new values into the vault. For storage accounts, I know I could automate this entirely by making it a key vault managed account, but AFAIK there is no such feature for things like CosmosDB or OpenAI services. I know I could set up another function app to perform rotations for me like this, but I'm on a bit of a timeline and would prefer not to deal with all the debugging if possible. Do I have any other options?

Answer 1

If it is all Azure resources there should not be a reason why you can't do all of this with managed identity. Cosmos DB is well-documented. For storage, are you using blob storage or file shares? If you are mapping file shares you may not be able to do without the storage account key but otherwise, I think all of this is doable with managed identity. If you have specific questions about how to do that don't hesitate to ask.

Answer 2

Streamlining Key Rotation for Azure Services: Automation Strategies Beyond Managed Accounts

Automating key and connection string rotations for resources such as CosmosDB or OpenAI services is feasible, even without native support for key vault managed identities, as there are a few alternatives available.

Considering your goal to reduce administrative overhead and manual intervention in the future, it would be beneficial to utilize the existing services and features of Azure that are designed to streamline this process.

1. Azure Key Vault Managed Account:

   • You've noted that Key Vault is used for storing keys and connection strings. It's true that for storage accounts, key rotation can be automated by designating them as Key Vault managed accounts. However, this functionality is not provided for services such as CosmosDB or OpenAI.
   • Cosmos DB: While there isn’t a direct Key Vault managed account feature, you can still store Cosmos DB credentials securely in Key Vault. This involves using a system-assigned managed identity for your function app and granting it access to the Key Vault secrets containing Cosmos DB connection strings.
   • OpenAI Services: Consider using Entra ID authentication for OpenAI services as an alternative to keys. Entra ID offers a more secure and manageable authentication method for services like OpenAI. Details on implementing Entra ID with OpenAI services can be found in the official documentation.

2. Automated Key Rotation Function App:

   • Although setting up another function app may not be ideal, it can be a practical solution. Consider establishing a dedicated function app for key rotation. This app would periodically acquire new keys from your resources, like Cosmos DB or OpenAI, refresh the Key Vault secrets, and manage the rotation procedure.
   • While debugging may be a lengthy process, it guarantees a solid solution. On a tight schedule, begin with a basic implementation and incrementally improve it.

3. Customer-Managed Keys for Cosmos DB:

   • Actually, Azure Cosmos DB now supports Customer-Managed Keys (CMK). You can enable CMK on existing Cosmos DB accounts without migrating data to a new account. This feature allows you to store the keys in Azure Key Vault and encrypt all data stored in the Cosmos DB account using these keys.
   • To set up CMK for Cosmos DB, follow the steps in the official tutorial.

Consider using Entra ID authentication for OpenAI services, explore the automated function app approach, and take advantage of CMK for Cosmos DB.

Ref: https://learn.microsoft.com/en-us/azure/cosmos-db/store-credentials-key-vault

https://azure.microsoft.com/en-us/updates/public-preview-configure-customermanaged-keys-on-existing-cosmos-db-accounts/