Azurecloud~5 mins

Key rotation concepts in Azure - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Key rotation means changing the secret keys used to protect your data regularly. This helps keep your information safe by limiting how long a key can be used if it gets lost or stolen.

When you want to improve security by updating keys before they expire or get compromised

When compliance rules require you to change keys every few months

When you suspect a key might have been exposed accidentally

When you want to automate key updates to avoid manual errors

When you use Azure Key Vault to store and manage your keys securely

Config File - keyrotation-policy.json

keyrotation-policy.json

{
  "attributes": {
    "enabled": true
  },
  "lifetimeActions": [
    {
      "trigger": {
        "timeBeforeExpiry": "P30D"
      },
      "action": {
        "type": "Rotate"
      }
    }
  ],
  "contentType": "application/json"
}

This JSON file defines a key rotation policy for Azure Key Vault.

attributes.enabled: Turns the policy on.

lifetimeActions: Specifies actions to take before the key expires.

trigger.timeBeforeExpiry: Sets the time before expiry to start rotation (30 days here).

action.type: Defines the action as rotation.

Commands

This command applies the key rotation policy to the key named 'my-key' in the 'my-keyvault' Azure Key Vault. It tells Azure to rotate the key 30 days before it expires.

Terminal

az keyvault key rotation-policy set --vault-name my-keyvault --name my-key --policy @keyrotation-policy.json

Expected OutputExpected

{ "attributes": { "enabled": true }, "id": "https://my-keyvault.vault.azure.net/keys/my-key/rotationpolicy", "lifetimeActions": [ { "action": { "type": "Rotate" }, "trigger": { "timeBeforeExpiry": "P30D" } } ], "contentType": "application/json" }

→

--vault-name - Specifies the name of the Azure Key Vault

→

--name - Specifies the name of the key to apply the policy

→

--policy - Points to the JSON file with the rotation policy

This command shows the current key rotation policy for the key 'my-key' in 'my-keyvault' to verify it was set correctly.

Terminal

az keyvault key rotation-policy show --vault-name my-keyvault --name my-key

Expected OutputExpected

→

--vault-name - Specifies the Azure Key Vault name

→

--name - Specifies the key name to check

This command manually triggers the rotation of the key 'my-key' in 'my-keyvault' immediately, useful for urgent key changes.

Terminal

az keyvault key rotate --vault-name my-keyvault --name my-key

Expected OutputExpected

{ "kid": "https://my-keyvault.vault.azure.net/keys/my-key/1234567890abcdef", "key": { "kid": "https://my-keyvault.vault.azure.net/keys/my-key/1234567890abcdef" } }

→

--vault-name - Specifies the Azure Key Vault name

→

--name - Specifies the key to rotate

Key Concept

If you remember nothing else from this pattern, remember: regularly changing your keys limits the risk if a key is lost or stolen.

Common Mistakes

Not enabling the rotation policy after creating it

The keys will not rotate automatically if the policy is not enabled, leaving keys unchanged and vulnerable.

Always set the 'enabled' attribute to true in the rotation policy JSON before applying it.

Using incorrect vault or key names in commands

Commands will fail or apply changes to the wrong resources, causing confusion or errors.

Double-check the vault and key names before running commands to ensure they match your Azure resources.

Forgetting to verify the rotation policy after setting it

You might think the policy is applied when it is not, leading to no key rotation happening.

Always run 'az keyvault key rotation-policy show' to confirm the policy is active and correct.

Summary

Create a key rotation policy JSON file that defines when and how keys rotate.

Use Azure CLI to apply the rotation policy to your keys in Azure Key Vault.

Verify the policy is set correctly and manually rotate keys if needed.