Skip to content

[Key Vault] Add support for Key Rotation #19840

New issue
New issue
Closed
#20416
Closed
[Key Vault] Add support for Key Rotation#19840
#20416
Assignees
mccoyp
Labels
ClientThis issue points to a problem in the data-plane of the library.KeyVault
Milestone
[2021] October
@maorleger

Description

@maorleger
maorleger
opened on Jul 16, 2021

To support KeyVault Key Rotation, implement the following changes (modeled from JS, but use whatever API is idiomatic for your language):

ARM Template changes

When creating a keyvault, add rotate to the keys' accessPolicies so that your test application has permissions to rotate and set the rotation policy.

Key Client API

getKeyRotationPolicy(name: string, options?: GetKeyRotationPolicyOptions): Promise<KeyRotationPolicy | undefined>; // see (1) below
rotateKey(name: string, options?: RotateKeyOptions): Promise<KeyVaultKey>;
updateKeyRotationPolicy(name: string, policy: KeyRotationPolicyProperties, options?: UpdateKeyRotationPolicyOptions): Promise<KeyRotationPolicy>;

Note that policy behavior is against the latest version of a key.

New models

// @public
export interface KeyRotationLifetimeAction {
    action: KeyRotationPolicyAction;
    timeAfterCreate?: string; // see (2) below
    timeBeforeExpiry?: string;  // see (2) below
}

// @public
export interface KeyRotationPolicy extends KeyRotationPolicyProperties {
    readonly createdOn: Date;
    readonly id: string;
    readonly updatedOn?: Date;
}

// @public
export type KeyRotationPolicyAction = "Rotate" | "Notify";

// @public
export interface KeyRotationPolicyProperties { // see (3) below
    expiresIn?: string;  // see (2) below
    lifetimeActions?: KeyRotationLifetimeAction[];
}

Swagger inconsistencies to be mindful of

The swagger defines the possible values for LifetimeActionsType as an enum consisting of rotate and notify but in reality it returns Rotate and Notify - the service accepts both casing, is case-insensitive, but in order to model the correct values here we went with the following swagger transformation:

directive:
  - from: swagger-document
    where: $.definitions.LifetimeActionsType.properties["type"]["x-ms-enum"]
    transform: >
      $.values[0].value = "Rotate";
      $.values[1].value = "Notify";

Notes

  1. Calling GET /keys/{name}/rotationpolicy will return an object with all properties set to null. We're discussing having that endpoint 404, but until then I am return undefined if the id doesn't exist
  2. We're still discussing whether the swagger should model this as an ISO8601 duration. In JS, the architects prefer a string, but model this duration in whatever way is idiomatic (TimeSpan, etc). If the swagger changes, I'll update the feature crew
  3. In order to properly model input / output values I separated out the KeyRotationPolicy and the KeyRotationPolicyProperties . The former extends the latter and adds the server-side attributes (timestamps and ID).

Metadata

Metadata

Assignees

Labels

ClientThis issue points to a problem in the data-plane of the library.KeyVault

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions