Azure-docs: Confused by documentation on why solution is recommended

Created on 12 Oct 2020 · 6Comments · Source: MicrosoftDocs/azure-docs

The article and approach looks to be exactly what we need but this line confuses me

"_This tutorial shows how to automate the periodic rotation of secrets for databases and services that use two sets of authentication credentials._"

It seems to be saying that this approach is only a valid approach when you are currently using "two sets of authentication credentials". What is meant by "two sets of authentication credentials"?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 2f5600ab-b0c4-d463-a6c8-19e877138d6b
Version Independent ID: 5236a870-4196-c950-a0f4-99aae8d19b2e
Content: Rotation tutorial for resources with two sets of credentials
Content Source: articles/key-vault/secrets/tutorial-rotation-dual.md
Service: key-vault
Sub-service: secrets
GitHub Login: @msmbaldwin
Microsoft Alias: jalichwa

Pri2 cxp in-progress key-vaulsvc product-question secretsubsvc triaged

Source

munkii

Most helpful comment

@munkii correct 2 keys means two different credentials available to connect. You can also use connection string with key1 or key2 - which also translates to 2 sets of credentials to connect to Storage. The pattern needs 2 to alternate between during rotation cycle and provide enough time between cycles for application to refresh it locally.
I will continue discussion on Stack Overflow and answer any questions you may have. I wrote those functions and we are planning deeper integration with Key Vault for rotation secrets across different services, so any feedback is welcomed.

jlichwa on 13 Oct 2020

👍2

All 6 comments

@munkii
Thanks for your feedback! We will investigate and update as appropriate.

JamesTran-MSFT on 12 Oct 2020

@munkii
Thank you for the post!

The term "two sets of authentication credentials" is referring to services which require more than one authentication credential, such as a storage account connection string with access key, or cases where a password is used instead of an access key.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

JamesTran-MSFT on 12 Oct 2020

@munkii - i.e. Storage, EventHub, ServiceBus supports primary/secondary access key and pattern described would work for any of those, or even SQL with 2 username/passwords sets. In that case rotation alternates between two access keys in each rotation cycle and supports zero downtime rotation.

There are third party services i.e Twitter, which has only one password/username per account possible, so there is other tutorial for that scenario. In that case there is a downtime possible between rotation and client application refresh.

jlichwa on 13 Oct 2020

👍2

Thanks for replying. I really think the docs could do with a version of this explanation. From @JamesTran-MSFT reply "services which require more than one authentication credential, such as a storage account connection string with access key". That doesn't sound like to two sets of "authentication credentials" to me.

However when I read @jlichwa reply "alternates between two access keys in each rotation cycle" it makes me think you are refering to the fact that storage accounts have a "key1" and "key2" and that it is those TWO keys that makes this TWO sets of authentication credentials.

Is that a correct understanding? Account Name plus "key1"is the first authentication credential set and Account Name plus "key2" is the second authentication credential set?

I have some other questions around understanding this approach and I created a stackoverflow queston to try and get them answered, Managing the rotation of Azure storage account keys with Azure Function and Key Vault rather than creating an Github issue as that seemed like the right place. I'd appreciate any input you could give.

munkii on 13 Oct 2020

jlichwa on 13 Oct 2020

👍2