Azure Rotated Secret

You can create Rotated Secrets for Azure Apps and Azure Storage Account. Before you get started, ensure you have a Target for your Azure App or for your Azure Storage Account.

The target must include the Azure tenant ID and client ID, as well as a client secret for a privileged App authorized to rotate credentials.

When a client requests a Rotated Secret value, the Akeyless Platform connects to the Azure App through your Gateway to rotate the Key of the target Azure App.

Prerequisites

Or an:

Permissions Needed to Manage Application Secrets

ActionPermissions
Create\DeleteApplication.ReadWrite.OwnedBy orApplication.ReadWrite.All

Where:

  • Application.ReadWrite.OwnedBy: Allows reading and writing of properties for applications owned by the user.

  • Application.ReadWrite.All: Allows read and write access to all applications in Azure Active Directory

For more information, refer to Microsoft Graph permissions reference

Create a Rotated Azure Secret from the CLI

To create a Rotated Azure Secret using the Akeyless CLI, run the following command:

akeyless rotated-secret create azure \
--name <Rotated Secret name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--target-name <target name to associate> \
--authentication-credentials <use-user-creds|use-target-creds> \
--rotator-type <azure-storage-account|api-key|target|password> \
--api-id <client id> \
--api-key <client secret> \
--app-id <ID of the low-privileged app holding the secret to rotate>

Where:

  • name: A unique name of the Rotated Secret. The name can include the path to the virtual folder where you want to create the new Rotated Secret, using slash / separators. If the folder does not exist, it will be created together with the Rotated Secret.

  • gateway-url: Akeyless Gateway Configuration Manager URL (port 8000).

  • target-name: The name of the Azure Target with which the Rotated Secret should be associated.

  • authentication-credentials: Determines how to connect to the target Azure App.

    • use-user-creds - Use credentials defined on the Rotated Secret item.
    • use-target-creds - Use credentials of the privileged Azure App defined inside the Azure Target item.

👍

Note

Select use-target-creds if the Rotated Secret target App is not authorized to change its own client secret, and the privileged Azure Target App is required to change the client secret on behalf of the Rotated Secret target App.

  • rotator_type: The type of credentials to be rotated. For Azure Target, choose:

    • api-key - to rotate the client secret specified in the Rotated Secret
    • target - to rotate the client secret of the privileged App specified in the Azure Target
    • password - to rotate a user password in Azure Entra.
  • api-id: The client secret ID of the Azure App whose client secret should be rotated. If left empty, the rotated secret will try to create a new secret and manage its rotation only.

  • api-key: The client secret to rotate.

  • app-id: The ID of the Azure App that holds the secret being rotated.

  • username: The user principal name to rotate his password (relevant only for rotator-type=password).

  • auto-rotate: Enable auto-rotation if you need to update the client secret regularly. If this value is set to true, specify the rotation-interval in days, and optionally also the rotation_hour.

You can find the complete list of parameters for this command in the CLI Reference - Rotated Secrets section.

Create a Rotated Azure Secret in the Akeyless Console.

👍

Note

To start working with Rotated Secrets from the Akeyless Console, you need to configure the Gateway URL thus enabling communication between the Akeyless SaaS and the Akeyless Gateway.

To create rotated secrets directly from the Akeyless Gateway, you can use the Gateway Configuration Manager.

  1. Log in to the Akeyless Console, and go to Items > New > Rotated Secret > Azure.

  2. Define a Name of the Rotated Secret, and specify the Location as a path to the virtual folder where you want to create the new Rotated Secret, using slash / separators. If the folder does not exist, it will be created together with the Rotated Secret.

  3. Define the remaining settings as follows:

  • Target: Defines the name of the Azure Target to be associated with the Rotated Secret.

👍

Note

You need to select the Rotator Type first, and then only those targets appear in the list that use the corresponding type of credentials.

  • Authenticate with the following credentials: Determines how to connect to the target Azure App:

    • User credentials: Use credentials defined inside the Rotated Secret item.
    • Target credentials: Use credentials of the privileged App defined inside the Azure Target item.

👍

Note

Select Target credentials if the Rotated Secret target App is not authorized to change its own client secret, and the privileged Azure Target App is required to change the client secret on behalf of the Rotated Secret target App.

  • Rotator type: Determines the rotator type:

    • API Key: Rotates the client secret defined inside the Rotated Secret item.
    • Target: Rotates the client secret of the privileged App defined inside the Azure Target item.
    • Password: To rotate a user password in Azure Entra.
  • Access Key ID: Defines the client secret ID of the Azure App which Access Key should be rotated.

  • Access Key: Defines the client secret to rotate.

  • Application ID: Defines the ID of the Azure App that holds the secret being rotated.

  • Username: The user's principal name to rotate his password (relevant only for Password Rotator type)

👍

Note

You can rotate the client secret for the Azure Target too by creating a Rotated Secret with the Rotator type set to Target. When you're using a Target rotator, the access role with which this Rotated Secret is associated must have read and update permissions on the corresponding Target.

  • Gateway: Select the Gateway through which the secret will be rotated.

  • Protection Key: To enable Zero-Knowledge, select a key with a Customer Fragment. For more information about Zero-Knowledge, see Implement Zero Knowledge.

  • Auto rotate: Determines if automatic rotation is enabled.

  • Rotation interval (in days): Defines the number of days (1-365) to wait between automatic client secret rotations when Auto Rotate is enabled.

  • Rotation hour (local time zone): Defines the time when the client secret should be rotated if Auto Rotate is enabled.

  • Rotation Notification: If you wish to get a notification before the next Automatic Rotation, click on ⊕ Add Notification and adjust the day count to any number you desire. This can be done multiple times to be notified more than once.

  • Delete Protection: When enabled, protects the Rotated Secret from accidental deletion.

  1. Click Finish.

Rotate an Azure Storage Account key

To rotate an Azure Storage Account key, you need to create a new Azure Target for the Azure Storage Account and a new Azure Rotated Secret with the Rotator Type = azure-storage-account.

To create a new Azure Rotated Secret for the Azure Storage Account, run the following command in the CLI:

akeyless create-rotated-secret \
--name <secret name> \
--target-name <target name to associate> \
--rotator-type <azure-storage-account> \
--authentication-credentials <use-target-creds> \
--storage-account-key-name <name of the key you want to rotate>

Where:

  • name: A unique name of the rotated secret. The name can include the path to the virtual folder where you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.

  • target-name: The name of the Azure Storage target with which the rotated secret should be associated.

  • rotator-type: Must be azure-storage-account.

  • authentication-credentials: Must be use-target-creds. It instructs the system to use the credentials defined for the associated target to connect.

  • storage-account-key-name: The name of the key you want to rotate. Must be one of the following: key1/key2/kerb1/kerb2 - and must exist on the Azure Storage account.