Managing Azure Secrets
This section describes how to manage Azure Secrets on CCKM. Before proceeding, you must have an Azure key vault added to the CCKM. Refer to Managing Azure Vaults for details.
Adding Azure Secrets
To add an Azure Secret:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Secrets tab. The Add Secret wizard is displayed.
Enter Secret Name.
Enter Secret Value.
Select the desired Vault from the drop-down list. Vaults stored in Azure Managed HSM pools are not supported.
Enter Content Type.
(Optional) Set the secret activation and expiration dates.
Select the Set Activation Date check box and from the on-screen calendar, select the date and time to activate the secret.
Select the Set Expiration Date check box and from the on-screen calendar, select the secret expiration date and time.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ % ) ( { } > < ? + - / \ [ ] ^ & + = | ~ ` , ; . ' " _ **
CCKM does not allow the colon (
:
) in tag values.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Save.
Viewing Azure Secrets
Search for Azure Secrets by Secret Name.
CCKM does not allow searching for secrets:
By tag values using colon (:)
By "secret:value" pair using these characters:
\ , : " %
To view an Azure secret:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Secrets tab. The list of available Azure secrets is displayed. The Azure Secrets tab displays the following details:
Field Description Secret Name Unique, user-friendly alias of the secret. This is useful in searching for specific secrets. Version ID Current version of the secret. Click the expand icon () corresponding to a secret to view its versions. Status State of the secret. The status can be:
• Available
• Soft Deleted
• DeletedCloud Name of the cloud. Creation Date Date and time when the secret is created. Expiry Date Date and time when the secret will expire. Key Vault Name of the Azure key vault. Region Azure region where the secret is created. Click the filter icon () to view the list of supported Azure regions.
Sometimes, you might notice certain secrets are displayed as grayed out. This happens when the secrets are no longer accessible. For example, when:
Any cloud permissions on the secrets are changed. The secrets are no longer accessible from the Azure connection.
Connection is changed in KMS. The new connection does not have permissions to access the secrets.
Refreshing Azure Secrets
Refreshing is the process of downloading secrets created on the Azure key vault to CCKM. Secrets from all key vaults are refreshed at once.
To refresh secrets:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Secrets tab. The list of available Azure secrets is displayed.
Click Refresh. The This may take a while... message is displayed.
Note
Refresh is a time intensive operation that could take several hours or days to complete. It will continue running in the background. Do you want to continue?
Click Refresh to continue.
A message Refresh started... is displayed on the screen. The refreshed secrets are listed on the Cloud Keys > Azure > Secrets tab.
To cancel the refresh.
Click Cancel Refresh. The Cancel Refresh? message is displayed. The action will terminate all currently active refresh operations. All progress will be lost and this action cannot be undone. Do you want to proceed to cancel refresh or cancel this action?
Click Cancel Refresh.
A message Refresh cancelled successfully is displayed on the screen.
Rotating Secrets (Add Version)
Note
To rotate Azure Secrets, CCKM Users require Add Secret and Upload Secret permissions.
To rotate a secret:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Secrets tab. The list of available Azure secrets is displayed.
Click the overflow icon () corresponding to the desired alias and click Rotate Now (Add Version). The Add New Version screen is displayed.
Enter Secret Value.
Select the desired Vault from the drop-down list.
Enter Content Type.
(Optional) Set the secret activation and expiration dates.
Select the Set Activation Date check box and from the on-screen calendar, select the date and time to activate the secret.
Select the Set Expiration Date check box and from the on-screen calendar, select the secret expiration date and time.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ % ) ( { } > < ? + - / \ [ ] ^ & + = | ~ ` , ; . ' " _ **
CCKM does not allow the colon (
:
) in tag values.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Save.
A message Secret successfully rotated is displayed on the screen. Navigate to Cloud Keys > Azure > View/Edit > Versions to view the versions of the rotated Azure secret.
Soft-Deleting Azure Secrets
Soft deleting is the process of deleting Azure secrets from the Azure vaults and CCKM. These secrets still exist on CCKM and in the Azure vaults. The soft-deleted secrets can be recovered.
Note
This operation can be performed only on the Azure secrets residing in the soft-enabled key vaults.
To soft-delete an Azure secret:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Secrets tab. The list of available Azure secrets is displayed.
Click the overflow icon () corresponding to the desired alias and click Soft Delete. The Confirm Soft Delete dialog box is displayed.
Click Soft Delete.
A message Secret <secret name> soft-deleted is displayed on the screen. The status of the secret changes to SOFT-DELETED
.
Recovering Soft-Deleted Azure Secrets
If needed, you can recover a soft-deleted secret.
To recover a soft-deleted Azure secret:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Secrets tab. The list of available Azure secrets is displayed.
Click the overflow icon () corresponding to the desired alias and click Recover. The Confirm Recover Secret dialog box is displayed.
Click Recover.
A message Secret <secret name> recovered from soft-delete. is displayed on the screen. The status of the secret changes to AVAILABLE
.
Purging Azure Secrets
Purging is the process of permanently deleting soft-deleted Azure secrets from the Azure vaults. However, backup of the purged secret can be restored on CCKM. If you wish to restore backup of the purged secret, follow the steps mentioned in the Restoring Backup section.
Note
This operation can be performed only on the soft-deleted Azure secrets residing in the soft-enabled key vaults.
To purge an Azure secret:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Secrets tab. The list of available Azure secrets is displayed.
Click the overflow icon () corresponding to the desired alias and click Purge. The Purge Azure secret dialog box is displayed.
Select the I wish to purge this secret. check box.
Click Purge Secret.
Purging a secret might take some time. After successful deletion, a message Secret <secret name> hard deleted is displayed on the screen. The status of the secret changes to DELETED
.
If needed, you can restore a purged secret from its backup. Refer to Restoring Backup for details.
Restoring Backup
To restore a purged Azure secret:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Secrets tab. The list of available Azure secrets is displayed.
Click the overflow icon () corresponding to the desired alias and click Restore. The Confirm Restore secret dialog box is displayed.
Select the desired secret vault from the Select Vault drop-down list.
Note
Restoration of secrets among cross-region vaults is not allowed.
Click Restore Secret.
A message Secret <secret name> restored is displayed on the screen. The secret is restored to the selected key vault. The secret status changes to AVAILABLE
.