You can create a rotated secret Azure app. Before you get started, make sure you have created an Azure Target for your Azure Application (Client) ID that includes the Azure tenant ID and Client ID as well as client secret for a user authorized to change the service account credentials.
Let’s create an Azure rotated secret using the Akeyless CLI. If you’d prefer, see how to do this from the Akeyless UI instead.
The CLI command to create an Azure rotated secret is:
akeyless create-rotated-secret --name <secret name> \ --api-id <access key id> \ --api-key <access key> \ --target-name <target name to associate> \ --rotator-type <api-key|target> --authentication-credentials <use-user-creds|use-target-creds> --auto-rotate <true|false> \ --rotation-interval <1-365> \ --rotation_hour <hour in UTC> --app-id <low privilege app to rotate the secrets>
- name: A unique name for the rotated secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash
/separators. If the folder does not exist, it will be created together with the secret.
- api-id: The ID of the access key ID to rotate.
- api-key: The access key to rotate.
- target-name: The name of the Azure target with which the rotated secret should be associated.
- rotator_type: The credential to be rotated, either api-key (default), to rotate the access key ID and access key specified in the rotated secret, or target, to rotate the access key ID and access key for the target credentials.
- authentication-credentials:Determines how to connect to the associated target:
use-user-creds: Use the credentials defined for the rotated secret to connect.
use-target-creds: Use the credentials defined for the associated target to connect.
- auto-rotate: Optional, only required when the rotated secret should update the credentials. If this value is defined as true, specify the
rotation-intervalin days, and optionally also the
-app-id: In the case of
authentication-credentials=use-target-creds, it is possible to use a higher privilege app to rotate keys in a lower privilege app.
app-iddetermines if the target app should be overridden from the one defined in the given target-name.
use-target-credsif the rotated secret user is not authorized to change their own credentials, and a powerful user like the target user is required to change the credentials on behalf of the rotated secret user.
The full list of options for this command is:
-n, --name *Secret name -r, --target-name *The target name to associate -u, --gateway-url[=http://localhost:8000] API Gateway URL (Configuration Management port) -m, --metadata Metadata about the secret -t, --tag List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 -k, --key The name of a key that used to encrypt the secret value (if empty, the account default protectionKey key will be used) --auto-rotate Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation --rotation-interval The number of days to wait between every automatic rotation (1-365),custom rotator interval will be set in minutes --rotation-hour The Hour of the rotation in UTC --rotator-type *The rotator type password/target/api-key/ldap/custom --rotator-creds-type The credentials to connect with use-self-creds/use-target-creds - deprecated, replace by authentication-credentials --authentication-credentials[=use-user-creds] The credentials to connect with use-user-creds/use-target-creds --rotator-custom-cmd Custom rotation command (relevant only for ssh target) --ssh-username ssh username - deprecated, replace by rotated-username --ssh-password ssh password to rotate - deprecated, replace by rotated-password --api-id API ID to rotate (relevant only for rotator-type=api-key) --api-key API key to rotate (relevant only for rotator-type=api-key) --rotated-username username to be rotated, if selected "use-self-creds" at rotator-creds-type, this username will try to rotate its own password, if "use-target-creds" is selected, target credentials will be use to rotate the rotated-password (relevant only for rotator-type=password) --rotated-password rotated-username password (relevant only for rotator-type=password) --user-dn Base DN to Perform User Search --user-attribute LDAP User Attribute --app-id Id of the azure app that hold the serect to be rotated (relevant only for azure & rotator-type=api-key & authentication-credentials=use-target-creds) --custom-payload Secret payload to be sent with rotation request (relevant only for rotator-type=custom) --profile, --token Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token --username Optional username for various authentication flows --password Optional password for various authentication flows --uid-token The universal identity token, Required only for universal_identity authentication -h, --help display help information --json[=false] Set output format to JSON --no-creds-cleanup[=false] Do not clean local temporary expired creds
Let’s create an AWS rotated secret using the Akeyless Gateway UI.
Log in to the Akeyless Gateway, and select Rotated Secret > New > Create new rotated secret.
Give the rotated secret a name, and define where it should be saved.
Define the rest of the rotated secret settings as follows:
Authenticate with the following credentials
Determines how to connect to the associated target:
Rotation interval (in days)
Defines the number of days (1-365) to wait between automatic credentials rotations when Auto Rotate is enabled.
Rotation hour (local time zone)
Defines the time the credentials is rotated when Auto Rotate is enabled.
Determines if automatic rotation is enabled.
Defines the name of the target to be associated with the secret.
Access Key ID
Defines the access key ID to rotate
Defines the access key to rotate
Defines the Id of the app to rotate secrets in (only applicable with
Determines the rotator type:
Encrypt with the following Key
To enable zero-Knowledge, select a key with a Customer Fragment. For more information about zero-knowledge, see Implement Zero Knowledge.
Updated 3 months ago