Searching in

Enter search term to find items
to navigate, to select, and to close

Azure Key Vault: Rotation Policies

Posted on by Nithin Mohan TK 1 min read

Static secrets are a risk. “Key Rotation” limits the blast radius of a leak. Azure Key Vault now supports automated rotation for encryption keys, and we can build logic for secret rotation (e.g., SQL passwords).

The Rotation Logic (Azure Functions)

sequenceDiagram
    participant Timer as Event Grid (Expiry)
    participant Func as Rotation Function
    participant KV as Key Vault
    participant SQL as SQL Server
    
    Timer->>Func: Trigger (Secret Near Expiry)
    Func->>KV: Generate New Password
    Func->>SQL: ALTER LOGIN ... WITH PASSWORD
    Func->>KV: Update Secret Version

Key Takeaways

  • Use **Managed Identity** so the rotation function itself needs no secrets.
  • Implement the “Dual-Secret” pattern (Active/Passive) so apps don’t break during rotation.

Discover more from C4: Container, Code, Cloud & Context

Subscribe to get the latest posts sent to your email.

Posted in Emerging Technologies

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.