It’s that time of year again, time for Azure Spring Clean.
Firstly a big thanks and a shout out to the event organizers Joe Carlyle and Thomas Thornton for featuring my contribution on this years Azure Spring Clean 2022.
Live Recording
See the following youtube video for a live demo recording of my talk.
Overview
Welcome to part 2 of my series on automating password rotation. A few months ago I published a tutorial on how to automate password rotation using a GitHub Action workflow and an Azure key vault. Due to the popularity of that post I decided to create a public GitHub Action on the GitHub Actions marketplace for anyone to use in their own environments.
In this second part of the series I will discuss how to make use of the public marketplace action. For a full in depth understanding on the concepts I am using I would recommend going through Part 1 first.
Link to GitHub Action on the public marketplace: Rotate AZURE Virtual Machine Passwords.
Link to my public GitHub repository hosting this action: GitHub Repository.
Concept
This Action will connect to a provided AZURE key vault as input and will loop through each secret key (server name). For each server, automatically generate a random unique password (default 24char), set that password against the VM and save the password value against the relevant secret key in the key vault. This will allow you to automate, maintain and manage all your server passwords from a centrally managed key vault in AZURE by only giving relevant access when required by anyone via key vault permissions.
- The Azure key vault must be pre-populated with
Secret Keys, where eachkeyrepresents a server name:
You can use the AzurePreReqs script to create a key vault, generate a GitHub Secret to use as AZURE_CREDENTIALS and sets relevant RBAC access on the key vault, Key Vault Officer, as well as Virtual Machine Contributor over virtual machines in the Azure subscription.
See Part 1 of this series on setting up the Azure key vault and GitHub Secret Credential (if needed).
GitHub Action Inputs
| Inputs | Required | Description | Default |
|---|---|---|---|
| key-vault-name | True | Name of the Azure key vault pre-populated with secret name keys representing server names hosted in Azure. | N/A |
| password-length | False | The amount of characters in the password. | 24 |
INSTALLATION
Copy and paste the following snippet into your .yml file.
- name: Rotate VMs administrator passwords
uses: Pwd9000-ML/azure-vm-password-rotate@v1.1.0
with:
key-vault-name: ${{ env.KEY_VAULT_NAME }}
password-length: 24 ##Optional configuration
Example Usage
Here is a link to an example workflow file
Example - Rotate VM Passwords every monday at 09:00 UTC
name: Update Azure VM passwords
on:
workflow_dispatch:
schedule:
- cron: '0 9 * * 1' ##Runs at 9AM UTC every Monday##
jobs:
publish:
runs-on: windows-latest
env:
KEY_VAULT_NAME: 'your-key-vault-name'
steps:
- name: Check out repository
uses: actions/checkout@v3.6.0
- name: Log into Azure using github secret AZURE_CREDENTIALS
uses: Azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
enable-AzPSSession: true
- name: Rotate VMs administrator passwords
uses: Pwd9000-ML/azure-vm-password-rotate@v1.1.0
with:
key-vault-name: ${{ env.KEY_VAULT_NAME }}
Notes
As per the example above, you also need a GitHub Secret
AZURE_CREDENTIALSto log into Azure using Action:Azure/login@v1You can use the AzurePreReqs script to create a key vault, generate a GitHub Secret to use as
AZURE_CREDENTIALSand sets relevant RBAC access on the key vault,Key Vault Officer, as well asVirtual Machine Contributorover virtual machines in the Azure subscription.Passwords will only be rotated for
secrets/namesof servers populated in the key vault assecretkeys. Only virtual machines that are in arunningstate will have their passwords rotated:
- Servers will be skipped if they are not running:
- If a server does not exist or the GitHub Secret
AZURE_CREDENTIALSdoes not have access over the Virtual Machine a warning is issued of 'VM NOT found':
- DO NOT populate the key vault with servers that act as Domain Controllers.
Versions of runner that can be used
As of release v1.1.0; Support for linux and windows runner types now available.
| Environment | YAML Label |
|---|---|
| Windows Server 2022 | windows-2022 |
| Windows Server 2019 |
windows-latest or windows-2019
|
| Windows Server 2016 (deprecated ) | windows-2016 |
| Ubuntu 20.04 |
ubuntu-latest or ubuntu-20.04
|
| Ubuntu 18.04 | ubuntu-18.04 |
I hope you have enjoyed this post and have learned something new. You can also find the code samples used in this blog post on my published GitHub Action page. ❤️
Author
Like, share, follow me on: 🐙 GitHub | 🐧 X/Twitter | 👾 LinkedIn
Top comments (0)