Skip to content

jordanbean-msft/keyvault-java

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
.img
.img
 
 
.vscode
.vscode
 
 
infra
infra
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

keyvault-java

This repo demonstrates how to set up automatic Azure AD app registration client secret rotation using Azure Functions (in Java) and Key Vault (with Event Grid notification when secrets are about to expire).

architecture

  1. Key Vault is configured to send an Event Grid notification when a secret is about to expire (in 30 days by default) when a secret is created.
  2. Azure Function is triggered by the Event Grid notification.
  3. Azure Function creates a new client secret for the Azure AD app registration.
  4. Azure Function updates the secret in Key Vault.

Disclaimer

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Prerequisites

Deployment

  1. Modify the ./infra/env/dev.parameters.json file to match your environment.

  2. Run the following command to deploy the initial infrastructure to Azure.

az deployment group create -g rg-keyVaultJava-ussc-dev --template-file ./infra/init/main.bicep --parameters ./infra/env/dev.parameters.json

  1. Update the ./src/java/pom.xml file to match your environment (specifically the functionAppName, resourceGroup, appServicePlanName and region keys)

  2. Build & deploy the Azure Function Java code.

cd src/java
mvn clean package
mvn azure-functions:deploy
  1. Deploy the Event Grid subscription now that an endpoint exists in Azure Functions.
cd ../..
az deployment group create -g rg-keyVaultJava-ussc-dev --template-file ./infra/subscription/main.bicep --parameters ./infra/env/dev.parameters.json

  1. Create a test App Registration to be managed by the Azure Function in Azure Active Directory. Take note of the objectId of the App Registration.

  2. Retrieve the Object Id of the Managed Identity.

az identity show -g rg-keyvaultJava-ussc-dev -n mi-keyVaultJava-ussc-dev --query principalId
  1. Run the following command to assign the Managed Identity ownership over a test app registration (the id is the objectId of the app registration, the owner-object-id is the objectId of the Managed Identity).
az ad app owner add --id a9425fd4-66c5-43a2-afb2-9135ec474e4a --owner-object-id 51819bcc-7865-4f6d-9f50-48ffbafe79a2
  1. Run the following command to assign the Managed Identity the Application.ReadWrite.OwnedBy permission on the Graph API so it can update the client secrets on any app registration it owns (the spId is the objectId of the Managed Identity). NOTE: It is likely you will need an admin to do this for you.
spId=51819bcc-7865-4f6d-9f50-48ffbafe79a2

graphResourceId=$(az ad sp list --display-name "Microsoft Graph" --query [0].id --out tsv)

appRoleId=$(az ad sp list --display-name "Microsoft Graph" --query "[0].appRoles[?value=='Application.ReadWrite.OwnedBy' && contains(allowedMemberTypes, 'Application')].id" --output tsv)

uri=https://graph.microsoft.com/v1.0/servicePrincipals/$spId/appRoleAssignments

body="{'principalId':'$spId','resourceId':'$graphResourceId','appRoleId':'$appRoleId'}"

az rest --method post --uri $uri --body $body --headers "Content-Type=application/json"

Run the code

  1. Navigate to the test App Registration in the Azure portal. Copy the objectId of the App Registration.

  2. Click on Certificates & secrets.

  3. Click on New client secret.

  4. Enter a description and click Add.

  5. Copy the id & value of the secret.

  6. Navigate to the Key Vault in the Azure portal.

  7. Click on Secrets

  8. Click on Generate/Import

  9. Set the name of the secret to the objectId of the App Registration.

  10. Set the value of the secret to the value of the secret.

  11. Set the Content Type to the id of the secret (not of the App Registration, but of the secret itself).

  12. Set the Expiration date to a date in the near future (less than 30 days from now).

  13. Click Create.

  14. Wait a few minutes for Key Vault to send the notification to the Azure Function.

  15. Navigate back to the App Registration in the Azure portal.

  16. Click on Certificates & secrets.

  17. Notice that the secret has been replaced by a new one. Note the first 3 characters of the Value and the Expires value.

  18. Navigate back to the Key Vault in the Azure portal.

  19. Click on Secrets

  20. Click on the secret.

  21. Notice that a new secret version has been created. If you open it, you will see the new secret value and expiration date 1 year in the future.

Links

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages