Using Logic Apps to Trigger Key Vault Rotation

Previously I’ve written about how we can use Azure Key Vault and PIM Groups as a secure password management solution. Something I didn’t cover at the time is the requirement in large environments to rotate passwords regularly. To achieve this rotation, we can leverage Azure Logic Apps to trigger email requests to rotate keys. The setup in my previous post will be used as a basis for the configuration below.

Configure Logic App

We can create a new Logic App in the Azure Portal, all we need is an Azure subscription (which we should have from setting up the Key Vault previously)

Create the App in the Azure Portal as below.

When the Logic App is provisioned, navigate to the “Identity”, enable the System Assigned Identity and click save.

Next, we need to grant permission on our Key Vault to the Logic App identity. Open the Key Vault and open up Access Policies. Create a new Access Policy and assign the appropriate access tot he service principal. For full control use the “Key, Secret & Certificate Management” template.

Now, back in our Logic App, we can start building out our logic. Firstly, add a trigger such as a recurrence pattern to schedule the app to run.

As we want to use our managed identity, we can’t use the default Key Vault connector so we will instead send an API request. Select the HTTP connector and select the HTTP action.

Fill in the HTTP connector as below with the following values:

HeadingValue
MethodGet
URIhttps://<KeyVaultName>.vault.azure.net/secrets/<secretname>/?api-version=7.1
Authentication TypeManaged Identity
Managed IdentitySystem Assigned Managed Identity
Audiencehttps://vault.azure.net

Now we can store our results in a variable for sending, Add an action for “Initialize Variable”. Here we can specify which values from our query we want, we are specifically looking for “Updated” attribute but we can capture the secret itself among other attributes the same way.

Now that we have the last updated date, we have a lot of options. We can aded a planner task, send a webhook to our Service Desk tool, send an email etc. This final step I’ll leave up to you but Logic Apps is extremely flexible and can interact with a massive number of systems.

Overall, adding this on top of the Key Vault functionality will help to really easily add value at a very low cost.

2 thoughts on “Using Logic Apps to Trigger Key Vault Rotation

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s