I'm managing a lot of Azure Service Principals (SPNs) in my environment, with their client secrets spread across various Key Vaults. I'm looking for advice on automating the process of renewing SPN secrets before they expire and updating these secrets in the Key Vaults. If anyone has implemented solutions using Azure Automation, Functions, Logic Apps, or scripts to check upcoming expirations and rotate secrets, I'd love to see your ideas or examples. How do others handle this at scale?
4 Answers
Definitely consider using managed identities if you can. They help eliminate the stress of handling hard credentials, which can become quite challenging and often lead to outages.
If possible, I really recommend switching to managed identities, as that simplifies a lot since you wouldn't need to rotate secrets anymore. You could also consider using federated credentials, which remove the hassle of managing secrets completely. If managed identities aren't an option, then creating a function app with a script in Python or PowerShell could do the job. Just schedule it to run regularly and let it handle the renewals ahead of the expiration. Don't forget to use Key Vault for storing the secrets!
We tackled this on a larger scale by setting up a small Function/App that regularly checks Key Vault for any expiring secrets. It creates new client secrets through Microsoft Graph and updates them back to the relevant vault. We made sure it runs on a schedule and includes retries along with alert notifications, so we never cut it close. Key aspects are making the whole rotation process idempotent and using a dedicated identity with precise permissions for the SPNs that need rotation! This way, adding new SPNs becomes just a matter of adjusting the config instead of reinventing the wheel each time.
Absolutely! I used PowerShell along with the Azure module, which integrates enough with EntraID to make this work smoothly. I'm currently running this in an Azure DevOps pipeline, but it can easily be set up in Azure Automation too.
Totally agree! In case that's not feasible, I utilized Bicep for a similar task, which also works great. Here's a [link to my solution](https://github.com/ShpendKe/secret-rotation-local-deploy) if you're interested.