1. Packages
  2. Azure Native
  3. How-to Guides
  4. Automate the rotation of a secret for resources that use one set of authentication credentials
This is the latest version of Azure Native. Use the Azure Native v1 docs if using the v1 version of this package.
Azure Native v2.73.0 published on Wednesday, Nov 20, 2024 by Pulumi

Automate the rotation of a secret for resources that use one set of authentication credentials

azure-native logo
This is the latest version of Azure Native. Use the Azure Native v1 docs if using the v1 version of this package.
Azure Native v2.73.0 published on Wednesday, Nov 20, 2024 by Pulumi

    View Code Deploy this example with Pulumi

    Modeled after Microsoft ARM documentation

    This example demonstrates using a managed identity with Azure App Service to access Azure KeyVault, Azure Storage, and Azure SQL Database without passwords or secrets.

    The application consists of several parts:

    • A SQL Server to rotate credendials
    • A KeyVault that stores the credentials of the SQL Server
    • A KeyVault that is only accessible to the WebApp and Function (through Managed Identity)
    • An Azure Function that generates a new secret and sets it in SQL Server and Key Vault
    • An Azure WebApp that shows that the secret is changing and still accessible
    • An EventGrid subscription to receive SecretNearExpiry events from KeyVault and, in turn, call the Azure Function

    IMPORTANT: For example purposes, new secrets are continually generated. Make sure to change the validityPeriod or destory the stack when you are done.

    Deploying the App

    To deploy your infrastructure, follow the below steps.

    Prerequisites

    1. Install Pulumi
    2. Install .NET Core 3.1+

    Steps

    1. Create a new stack:

      $ pulumi stack init dev
      
    2. Login to Azure CLI (you will be prompted to do this during deployment if you forget this step):

      $ az login
      
    3. Build and publish the ASP.NET Core project:

      $ dotnet publish webapp
      
    4. Set the Azure region location to use:

      $ pulumi config set azure-native:location westus2
      
    5. Run pulumi up to preview and deploy changes:

      $ pulumi up
      
    6. Check the deployed website endpoint:

      $ pulumi stack output WebAppEndpoint
      https://app129968b8.azurewebsites.net/
      $ Start-Process "$(pulumi stack output WebAppEndpoint)"
      
    7. From there, feel free to experiment. Simply making edits and running pulumi up will incrementally update your stack.

    8. Once you’ve finished experimenting, tear down your stack’s resources by destroying and removing it:

      $ pulumi destroy --yes
      $ pulumi stack rm --yes
      
    azure-native logo
    This is the latest version of Azure Native. Use the Azure Native v1 docs if using the v1 version of this package.
    Azure Native v2.73.0 published on Wednesday, Nov 20, 2024 by Pulumi