Secrets are about to expire and need rotation
More Info:
In Microsoft Azure Key Vault, check for any secrets that are about to expire and rotate them by creating a new version of these secrets.Risk Level
MediumAddress
Operational Maturity, SecurityCompliance Standards
NIST, GDPR, ISO27001Triage and Remediation
Remediation
Using Console
Using Console
To remediate secrets that are about to expire and need rotation in Azure using the Azure console, follow these steps:
- Log in to the Azure portal (https://portal.azure.com/).
- Navigate to the Azure Key Vault where the secrets are stored.
- Select the secret that needs to be rotated.
- Click on the “Current Version” tab.
- Click on the “Generate/Import” button.
- Enter the new secret value and click on “Create”.
- Click on the “Save” button to save the new secret value.
- Click on the “Versions” tab.
- Select the previous version of the secret and click on “Disable”.
- Click on the “Save” button to disable the previous version of the secret.
Using CLI
Using CLI
To remediate the issue of expiring secrets in Azure using Azure CLI, you can follow these steps:This command will list all the secrets that are about to expire in your key vault.Replace Replace This command should return an empty list, indicating that all the secrets have been rotated successfully.By following these steps, you can remediate the issue of expiring secrets in Azure using Azure CLI.
- Login to your Azure account using Azure CLI by running the following command:
- Once you are logged in, you need to identify the secrets that are about to expire. You can do this by running the following command:
- Now that you have identified the secrets that need rotation, you can rotate them by creating new versions of the secrets with updated values. You can do this by running the following command:
<your-key-vault-name>, <your-secret-name> and <your-new-secret-value> with the appropriate values.- Once you have created new versions of all the secrets that were about to expire, you can delete the old versions of the secrets by running the following command:
<your-key-vault-name>, <your-secret-name> and <your-old-secret-version> with the appropriate values.- Repeat steps 3 and 4 for all the secrets that were about to expire.
- Finally, you can verify that all the secrets have been rotated successfully by running the following command:
Using Python
Using Python
To remediate the issue of expiring secrets in AZURE using Python, you can follow these steps:
-
Install the
azure-identityandazure-keyvault-secretspackages using pip. -
Import the required libraries in your Python code.
-
Set up the authentication credentials using the
DefaultAzureCredentialclass. -
Create a
SecretClientobject using the Azure Key Vault URL and the authentication credentials. -
Retrieve the list of secrets from the Key Vault using the
list_properties_of_secretsmethod of theSecretClientobject. -
Iterate over the list of secrets and check if any of them are about to expire (i.e., the
expires_onproperty is less than the current time plus a buffer period). If a secret is about to expire, retrieve its current value using theget_secretmethod of theSecretClientobject, update its value, and then set the updated value using theset_secretmethod of theSecretClientobject. - Run the Python script periodically (e.g., daily) using a task scheduler or a cron job to ensure that secrets are rotated before they expire.