Azure-docs: How is the rotation of the service principal key handled?

Created on 17 Apr 2019 · 9Comments · Source: MicrosoftDocs/azure-docs

Hi,

is there any guideline or command to rotate the service principal key for the server application secret, there is 'az aks update-credentials' but as far as I understand it this is only for the key rotation for the Azure Resource Manager API access?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: a47c6df7-5103-1336-eb0b-68f95155e6c8
Version Independent ID: f4420b08-9b57-f581-fcb4-f069afdd5b0c
Content: Integrate Azure Active Directory with Azure Kubernetes Service
Content Source: articles/aks/aad-integration.md
Service: container-service
GitHub Login: @iainfoulds
Microsoft Alias: iainfou

container-servicsvc cxp in-progress product-question triaged

Source

maxilampert

All 9 comments

Thanks for the question! We are investigating and will update you shortly.

mimckitt on 17 Apr 2019

@maxilampert great question! I am not aware of any documentation we have on this. You can obviously refresh the service principal keys but I am not sure if that would apply to the cluster automatically or if you have to actually update it.

@iainfoulds any feedback on this?

mimckitt on 17 Apr 2019

Not specific to AKS (you're right in that az aks update-credentials is only for the SP used by the AKS cluster), but az ad app credential reset should do what you want at the Azure AD app level - https://docs.microsoft.com/en-us/cli/azure/ad/app/credential#az-ad-app-credential-reset

iainfoulds on 17 Apr 2019

👍1

@iainfoulds yes that's right but if I just reset the credentials on the AAD level, that will not update it on the AKS which would then mean that authentication will no longer work, right?

So what is the solution to update the credentials on the AKS level?

maxilampert on 18 Apr 2019

Not sure if the AKS cluster can be directly updated to include newer Azure AD app credentials, at least not through the Azure CLI or portal. There's on-going engineering work to improve the Azure AD integration, so including @palma21 who may be able to give some additional insight or if there's any current workaround.

iainfoulds on 18 Apr 2019

Hi,

@maxilampert you can reset the AAD credentials for an AAD-Enabled clusters using analogous process as for the Service Principal.

Eg. with the CLI:

az aks update-credentials -n <aks_name> -g <aks_rg> --reset-aad --aad-server-app-id <Server App ID> --aad-server-app-secret <Server App Secret> --aad-client-app-id <Client App ID> --aad-tenant-id <AAD Tenant ID>

palma21 on 18 Apr 2019

👍1

Thanks, @palma21!

iainfoulds on 18 Apr 2019

Thanks all!

@iainfoulds is this something you think we should include in this doc? Else I will close it out.

mimckitt on 18 Apr 2019

@MicahMcKittrick-MSFT Let's close out this one, please. I'll add it into the doc on updating credentials, based on https://github.com/MicrosoftDocs/azure-docs/issues/29673 that I followed up with offline and was essentially a duplicate of this. I'll add a link to that update credential doc from this doc on configuring the Azure AD integration.

iainfoulds on 18 Apr 2019

👍1

Was this page helpful?

0 / 5 - 0 ratings