how to regenerate your access keys regularly using PowerShell in Azure. You are provided two access keys so that you can maintain connections using one key while regenerating the other.
In this example I will be rotating a storage account key, storing in a keyvault and directly calling that from a function app at runtime whilst rotating the keys every 15 minutes
- Create a storage account
- create a KeyVault
- Create a Function App (with MSI on)
- Create a Automation Account
- add the objectID of the function app to the keyvault to get secrets
- Install az modules (az.accounts, az.storage, az.websites) from gallery on automation account
- Create a runbook (Rotate-Storage-Keys-and-update-App)
- Copy the powershell script shared in this repo
- Update the variables $ResourceGroupName,$storageAccountName,$storageKeyNameToRotate, $keyvaultname,$webSiteName
- Test that the rotation is working
Understand the sequence/order of the PowerShell script and what it does
- set secondary key as new secret
- update appconfig with new secret uri (with secondary key)
- refresh primary key
- set new primary key as secret
- update appconfig to new secret uri (with new primary key)
- refresh secondary key
- repeat steps 1 - 6
