Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Key Vault] Add support for Key Rotation #22993

Closed
maorleger opened this issue Jul 16, 2021 · 1 comment · Fixed by #24452
Closed

[Key Vault] Add support for Key Rotation #22993

maorleger opened this issue Jul 16, 2021 · 1 comment · Fixed by #24452
Assignees
Labels
Client This issue points to a problem in the data-plane of the library. KeyVault

Comments

@maorleger
Copy link
Member

maorleger commented Jul 16, 2021

To support KeyVault Key Rotation, implement the following changes (modeled from JS, but use whatever API is idiomatic for your language):

ARM Template changes

When creating a keyvault, add rotate to the keys' accessPolicies so that your test application has permissions to rotate and set the rotation policy.

Key Client API

getKeyRotationPolicy(name: string, options?: GetKeyRotationPolicyOptions): Promise<KeyRotationPolicy | undefined>; // see (1) below
rotateKey(name: string, options?: RotateKeyOptions): Promise<KeyVaultKey>;
updateKeyRotationPolicy(name: string, policy: KeyRotationPolicyProperties, options?: UpdateKeyRotationPolicyOptions): Promise<KeyRotationPolicy>;

Note that policy behavior is against the latest version of a key.

New models

// @public
export interface KeyRotationLifetimeAction {
    action: KeyRotationPolicyAction;
    timeAfterCreate?: string; // see (2) below
    timeBeforeExpiry?: string;  // see (2) below
}

// @public
export interface KeyRotationPolicy extends KeyRotationPolicyProperties {
    readonly createdOn: Date;
    readonly id: string;
    readonly updatedOn?: Date;
}

// @public
export type KeyRotationPolicyAction = "Rotate" | "Notify";

// @public
export interface KeyRotationPolicyProperties { // see (3) below
    expiresIn?: string;  // see (2) below
    lifetimeActions?: KeyRotationLifetimeAction[];
}

Swagger inconsistencies to be mindful of

The swagger defines the possible values for LifetimeActionsType as an enum consisting of rotate and notify but in reality it returns Rotate and Notify - the service accepts both casing, is case-insensitive, but in order to model the correct values here we went with the following swagger transformation:

directive:
  - from: swagger-document
    where: $.definitions.LifetimeActionsType.properties["type"]["x-ms-enum"]
    transform: >
      $.values[0].value = "Rotate";
      $.values[1].value = "Notify";

Notes

  1. Calling GET /keys/{name}/rotationpolicy will return an object with all properties set to null. We're discussing having that endpoint 404, but until then I am return undefined if the id doesn't exist
  2. We're still discussing whether the swagger should model this as an ISO8601 duration. In JS, the architects prefer a string, but model this duration in whatever way is idiomatic (TimeSpan, etc). If the swagger changes, I'll update the feature crew
  3. In order to properly model input / output values I separated out the KeyRotationPolicy and the KeyRotationPolicyProperties . The former extends the latter and adds the server-side attributes (timestamps and ID).
@maorleger maorleger added Client This issue points to a problem in the data-plane of the library. KeyVault labels Jul 16, 2021
@maorleger maorleger added this to the [2021] September milestone Jul 16, 2021
@maorleger
Copy link
Member Author

FYI here are the JS PRs for your reference:

@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Client This issue points to a problem in the data-plane of the library. KeyVault
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants