Tuesday, November 29, 2022

Azure: Bulk update secrets in Azure key vault using ARM

 At current client we have a requirement to periodically rotate some 50 secrets in Azure key vaults that are used for storing the shared keys for S2S VPN connections.

For keys (not secrets) there is an auto rotation option that is now GA, see link, however it doesn't apply to secrets.

There's an option to use logic apps to rotate secrets but the MS documentation I could find is not very good.

At first I was looking to write a PowerShell script that pulls the new secrets from a csv file and then applies them to a key vault, but it ended up being easier just creating an ARM template that does the same.

The secret names and secret values are stored in the parameters file (in the file there are a couple of test secrets for demonstration purposes). The name of the KV should also be updated in the parameters file. The ARM template itself does not have to be changed.

If you add a secret in the param file that already exists in the KV, it will overwrite the existing secret and add a new/current version and keep the previous version(s) as Older versions, see screenshot below. If you have secrets already in the KV that are not defined in the param file, these secrets will not be changed or deleted. And if you add new secrets in the param file that are not in the KV currently, they will be added.

The template is available on Github, the files are:



Powershell cmd to run ARM template.txt