Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Password Rotation in the Azure Environment
In this section, you will learn how to rotate user credentials within the Azure network environment across various target systems. Rotation works on the devices configured and attached to the Azure Active Directory (Azure AD) which can also be your default directory.
Keeper can rotate the password for Azure AD users, service accounts, local admin users, local users, managed services, databases and more.
Configurations for the Azure Active Directory are defined in the PAM Configuration section of Keeper Secrets Manager.
Configurations for the Azure AD joined devices are defined in the PAM Directory, PAM Machine, and PAM Database record types. The following table shows the supported Azure AD joined devices with Keeper Rotation and their corresponding PAM Record Type:
Configurations for Azure Directory User's credentials are defined in the PAM User records.
Prior to rotating user credentials within your Azure environment, you need to make sure you have the following information and configurations in place:
All Azure AD joined devices that you want to use with Rotation need to be created and configured within your Azure Active Directory
To successfully configure and setup Rotation within your Azure Network, the following values are needed for your PAM Configuration:
Make sure all the Azure services or Azure AD joined devices you plan on using for rotation have access to the Azure Active Directory. For more information, visit this page
Create a custom role to allow application to access/perform actions on various Azure resources. For more information on custom role setup, visit this page
At a high level, the following steps are needed to successfully rotate passwords on your Azure network:
Create Shared Folders to hold the PAM records involved in rotation
Create PAM Machine, PAM Database and PAM Directory records that contain credentials with the necessary permissions to rotate and update the user's credentials
Create PAM User records that contain the user's information
Create a Secrets Manager Application and assign it to the shared folders that hold the PAM records
Install a Keeper Gateway and add it to the Secrets Manager application
Create a PAM Configuration with the Azure environment setting
Configure Rotation settings on the PAM User records and/or PAM Machine, PAM Database, PAM Directory records
The next section of the documentation covers the Azure Environment Setup.
The following pages cover these steps in more details on how to successfully rotate passwords in different scenarios on the Azure network:
Setting up your Azure environment to work with Keeper Secrets Manager
In order to set up your Azure environment, the following steps must be taken:
Create an Azure application in the default Azure Active Directory.
Get values for the Keeper PAM Configuration from this new application.
Grant permissions to the application to access the Azure Active Directory.
Create a custom role to allow the application to access/perform actions on various Azure resources.
Go to the Azure portal > Home and click on Azure Active Directory in the left side vertical menu. Select App Registrations, and then New Registration. Give the new application a name and select Single tenant for Supported accounts types. Then click the Register button at the bottom.
In the Overview of the application, the Application (client) ID UUID is shown. This is the Client Id field of the Keeper PAM Configuration record. The Directory (tenant) ID is also shown. This is the Tenant Id field of the Keeper PAM Configuration record. Save these values for later.
Next click on the Add a certification or secret for Client credentials. On the next page, click on New client secret, give the client secret a Description, and select a desired Expires date, and click Add.
The page will refresh showing the secret Value. Copy the Value (not Secret ID) into the Keeper PAM Configuration "Client Secret" field. Save this value for later.
At this point, all the required the PAM Configuration fields should be filled in. You also have an Azure application that cannot do anything yet.
In order for the Azure tenant service principal/application to rotate Azure Active Directory users or Azure Active Directory Domain Service users, the application must be a assigned to an Administrative role.
From the Azure portal go to Home > Azure Active Directory > Roles and administrators, and click on the Administrative role to use (such as Privileged Authentication Administrator). The correct role depends on what privileges are needed for your use case. Custom roles can be used.
Global Administrator - It is not recommended to use a Global Administrator on a service principal. However, it will allow both administrator and user passwords to be rotated.
Privileged Authentication Administrator - Can change the password for any user, including a Global Administrator user.
Authentication Administrator - Can change the password for any user, except a Global Administrator user.
To add the application, click Add assignments and Search for the service principal/application that was created, click it, and then Add.
Roles need to be attached to the Azure Application (also called a Service Principle here) in order to rotate passwords of target resources. This is done in the Subscription section of the Azure portal.
Go to the Azure portal > Home > Subscriptions then select your subscription. Click on Access control (IAM), and then Roles.
Click Add on the top menu, and then Add custom role. Jump to the JSON tab. Click on Edit and paste the JSON object from below, modifying it according to your setup.
This is a complete list of all of the permissions that Keeper Gateway can use, if applicable. Only include those that are needed for your setup.
Change the following before you save:
<ROLE NAME>: Role Name, e.g. "Keeper Secrets Manager"
<DESCRIPTION>: Description, e.g. "Role for password rotation"
<SUBSCRIPTION ID>: Subscription ID of this Azure subscription
Click Save.
When done, click Review + create, and click Create.
Once the role is created, it needs to be assigned to the Application (Service Principle). Click View in the Details column.
A panel will appear on the right side of the screen. Click Assignments, and then Add assignment.
Enter in the new role's name in the search bar on the Role tab, then double click it to select it. Move to the Members tab. Click Select members. In the panel that opens, enter the name of the Azure application, select the current application, and click Select.
Go to the Review + assign tab click Review + assign.
🎉 At this point, you have created the necessary roles and applications within your Azure environment.
Rotating Azure AD Admin and User passwords with Keeper
In this guide, you will learn how to rotate passwords for Azure AD users. In Keeper, the PAM Configuration contains all of the information needed to rotate passwords. The record containing the Azure AD user accounts to be rotated are stored in the PAM User record.
For a high-level overview on the rotation process in the Azure network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
Your Azure environment is configured per our documentation
The Keeper Gateway uses Azure APIs to rotate the credentials defined in the PAM User records.
Note: You can skip this step if you already have a PAM Configuration set up for Azure.
Prior to setting up the PAM Configuration, make sure that:
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is provisioned in the Keeper Secrets Manager application you created.
We recommend installing the Keeper Gateway service in a machine within the Azure environment in order to rotate other types of targets.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields that needs to be filled on the PAM Configuration Record with your information:
For more details on all the configurable fields in the PAM Network Configuration record, visit this page.
Keeper Rotation uses the Azure Graph API to rotate the PAM User records in your Azure environment. The PAM User records need to be in a shared folder that is shared to the KSM application created in the pre-requisites.
The following table lists all the required fields that needs to be filled on the PAM User record with your information:
There should only be one PAM User record for each Azure AD user. Having multiple PAM User records with the same user/login will cause conflicts.
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should select the PAM Configuration setup previously.
The "Resource Credential" field should be empty / not selected.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with "Can Edit" rights to a PAM User record has the ability to set up rotation for that record.
Rotating local and remote user accounts on Azure Virtual Machines with Keeper
This guide assumes the following tasks have already taken place:
PowerShell is available on all Windows machines and bash on all Linux machines
Keeper can rotate any local user account on either the Gateway machine or any other machine on the network. A PAM Machine record should be created for every machine. This PAM Machine record should contain an administrative credential that has the rights to change passwords for users on the machine.
Once a PAM Machine record is created for every machine, a PAM User record needs to be created for each user account that will be rotated. The PAM Machine record can also be rotated.
The following table lists all the required fields that needs to be filled on the PAM Machine records.
If you already have a PAM Configuration for your Azure environment, you can simply add the additional Resource Credentials required for rotating machine users to the existing PAM Configuration.
Make sure the following items are completed first:
PAM Machine records have been created for each target machine
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields that needs to be filled on the PAM Configuration.
If a Gateway has already been deployed to an existing PAM Configuration, you can simply adjust the configuration to include additional Administrative Resource Credentials as needed.
In the example below, there are 5 local admin PAM Machine records, one for each VM in Azure. Each of the accounts is used to rotate credentials for local users in each respective machine.
Keeper Rotation will use the credentials in the PAM Machine record to rotate the credentials of accounts referenced by the PAM User records.
The following table lists all the required fields that need to be filled on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine admin credential specific to this user's machine.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
Optionally, the PAM Machine credential can also be rotated. Select the PAM Machine record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine which can rotate the credential.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Azure AD Joined Device | Corresponding PAM Record Type |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
In this guide, you'll learn how to rotate Azure Virtual Machine local and remote user accounts within the Azure environment using Keeper Rotation. For a high-level overview on the rotation process in the Azure network, visit this .
Keeper Secrets Manager is enabled for your and your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created.
Your Azure environment is
A Keeper Rotation is already installed, running, and is able to or with your target Azure Virtual Machine(s).
Field | Description |
---|
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is provisioned in the Keeper Secrets Manager application you created.
Field | Description |
---|
For more details on all the configurable fields in the PAM Network Configuration record, visit this .
Field | Description |
---|
Azure AD Domain Services
PAM Directory
Virtual Machines
PAM Machine
Managed Databases
PAM Database
Client ID
The application/client id (UUID) of the Azure application
Client Secret
The client credentials secret for the Azure application
Subscription ID
The UUID of your subscription to use Azure services (i.e. Pay-As-You-GO)
Tenant ID
The UUID of the Azure Active Directory
Title
Configuration name, example: Azure AD Configuration
Environment
Select: Azure
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Active Directory server from the pre-requisites
Application Folder
Select the Shared folder that will contain the PAM User records
Admin Credentials Record
Not required
Azure ID
A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: Azure-1
Client ID
The unique Application (client) ID assigned to your app by Azure AD when the application was registered
Client Secret
The client credentials secret for the Azure application. It’s random looking text.
Subscription ID
The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services.
Tenant ID
The UUID of the Azure Active Directory
Title
Keeper record title i.e. Azure User1
Login
Case sensitive username of the account being rotated. The username has to be in one of the following formats:
domain\username
username@domain
Password
Providing a password is optional. Performing a rotation will set one if this field is left blank.
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Active Directory server from the pre-requisites |
Application Folder | Select the Shared folder that contains the PAM Machine record(s) |
Resource Credential(s) | Select the PAM Machine record containing the admin credentials with sufficient permissions to rotate local user passwords. Important: If there are multiple machines being rotated, each PAM Machine record needs to be added as a Resource Credential. |
Azure ID | A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: |
Client ID | The unique Application (client) ID assigned to your app by Azure AD when the application was registered. |
Client Secret | The client credentials secret for the Azure application. |
Subscription ID | The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services. |
Tenant ID | The UUID of the Azure Active Directory |
Title | Keeper record title i.e. |
Login | Case sensitive username of the account being rotated. The username has to be in one of the following formats:
|
Password | Account password is optional, rotation will set one if blank |
Title | Name of the Record e.g. |
Hostname or IP Address | Machine hostname or IP as accessed by the Gateway, e.g. 10.0.1.4 |
Port | Typically 5985 or 5986 for WinRM, 22 for SSH |
Login | Username of the Administrator account |
Password | Required for WinRM
Optional for SSH if your setup requires a password, otherwise can use PEM key.
Note: The following chars are restricted: |
Private PEM Key | Required for SSH if not using a password |
Operating System | The VM Operating System: |
SSL Verification |
Rotating Admin/Regular Azure MariaDB Database Users with Keeper
In this guide, you'll learn how to rotate passwords for Azure MariaDB Users and Admin accounts on your Azure environment using Keeper Rotation. Azure MariaDB is an Azure managed resource where the MariaDB Admin Credentials are defined in the PAM Database record type and the configurations of the MariaDB Users are defined in the PAM User record type.
For Azure Managed MariaDB database, the Azure SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the Azure network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate with your Azure MariaDB Server Database
Your Azure environment is configured per our document
The PAM Database record contains the admin credentials and necessary configurations to connect to the MariaDB server on Azure. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Azure MariaDB Server instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Group, Provider Region, and Database ID will enable managing the PAM Database Record through the Azure SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
If you already have a PAM Configuration for your Azure environment, you can simply add the additional Resource Credentials required for rotating machine users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Network Configuration record, visit this page.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Azure environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Admin/Regular Azure MySQL Single or Flexible Database Users with Keeper
In this guide, you'll learn how to rotate passwords for Azure MySQL Database Users and Admin accounts on your Azure environment using Keeper Rotation. Azure MySQL is an Azure managed resource where the MySQL Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
This guide assumes the following tasks have already taken place:
The PAM Database record contains the admin credentials and necessary configurations to connect to the MySQL Server on Azure. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Azure MySQL Server instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Group, Provider Region, and Database ID will enable managing the PAM Database Record through the Azure SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
If you already have a PAM Configuration for your Azure environment, you can simply add the additional Resource Credentials required for rotating machine users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Azure environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Admin/Regular Azure SQL Database Users with Keeper
In this guide, you'll learn how to rotate passwords for Azure SQL Database Users and Admin accounts on your Azure environment using Keeper Rotation. Azure SQL is an Azure managed resource where the SQL Admin Credentials are defined in the PAM Database record type and the configurations of the SQL Users are defined in the PAM User record type.
This guide assumes the following tasks have already taken place:
The PAM Database record contains the admin credentials and necessary configurations to connect to the SQL Server on Azure. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Azure SQL Server instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Group, Provider Region, and Database ID will enable managing the PAM Database Record through the Azure SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
If you already have a PAM Configuration for your Azure environment, you can simply add the additional Resource Credentials required for rotating machine users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Azure environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
For WinRM, if selected, will use SSL mode port 5986. Ignored for SSH. See this for troubleshooting tips
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
For Azure Managed MySQL database, the Azure SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the Azure network, visit this .
In 2024, Azure is going to sunset the non-flexible MySQL managed services. Most likely the term flexible will be removed. See:
Keeper Secrets Manager is enabled for your and your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your Azure MySQL Server Database
Your Azure environment is per our document
Field | Description |
---|
Field | Description |
---|
For more details on all the configurable fields in the PAM Network Configuration record, visit this .
Field | Description |
---|
For Azure Managed SQL database, the Azure SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the Azure network, visit this .
Keeper Secrets Manager is enabled for your and your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your Azure SQL Server Database
If the Gateway is installed on a Linux or macOS server, install the
Your Azure environment is per our document
Field | Description |
---|
Field | Description |
---|
For more details on all the configurable fields in the PAM Network Configuration record, visit this .
Field | Description |
---|
Title
Keeper record title Ex: Azure MariaDB Admin
Hostname or IP Address
The Database Server name i.e testdb-mariadb.mariadb.database.azure.com
Port
For default ports, see port mapping
Ex: mariadb=3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation. If the admin in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@SERVERNAME
Password
Admin account password
Database ID
Name of the Azure Database Server i.e. testdb-mariadb
Database Type
mariadb
or mariadb-flexible
Provider Group
Azure Resource group name
Provider Region
Azure Resource region i.e. East US
Title
Configuration name, example: Azure DB Configuration
Environment
Select: Azure Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Azure MariaDB database from the pre-requisites
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the directory user account's credentials
Azure ID
A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: Azure-Prod
Client ID
The unique Application (client) ID assigned to your app by Azure AD when the application was registered
Client Secret
The client credentials secret for the Azure application
Subscription ID
The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services.
Tenant ID
The UUID of the Azure Active Directory
Title
Keeper record title i.e. Azure MariaDB User1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@SERVERNAME
Password
Account password is optional, rotation will set one if blank
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Azure MySQL database from the pre-requisites |
Application Folder | Select the Shared folder that contains the PAM Database record in Step 1 |
Admin Credentials Record | Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the directory user account's credentials |
Azure ID | A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: |
Client ID | The unique Application (client) ID assigned to your app by Azure AD when the application was registered |
Client Secret | The client credentials secret for the Azure application |
Subscription ID | The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services |
Tenant ID | The UUID of the Azure Active Directory |
Title | Keeper record title i.e. |
Login | Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as |
Password | Account password is optional, rotation will set one if blank |
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Azure SQL database from the pre-requisites |
Application Folder | Select the Shared folder that contains the PAM Database record in Step 1 |
Admin Credentials Record | Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the directory user account's credentials |
Azure ID | A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: |
Client ID | The unique Application (client) ID assigned to your app by Azure AD when the application was registered |
Client Secret | The client credentials secret for the Azure application |
Subscription ID | The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services. |
Tenant ID | The UUID of the Azure Active Directory |
Title | Keeper record title i.e. |
Login | Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as |
Password | Account password is optional, rotation will set one if blank |
Connect Database | Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to |
Title | Keeper record title Ex: |
Hostname or IP Address | The Database Server name i.e |
Port |
Use SSL | Check to perform SSL verification before connecting, if your database has SSL configured |
Login | Admin account username that will perform rotation. If the Admin account in the DB user table is in a Host other than %, add the Host value to the user name as |
Password | Admin account password |
Database ID | Name of the Azure Database Server i.e. |
Database Type |
|
Provider Group | Azure Resource group name |
Provider Region | Azure Resource region i.e. |
Title | Keeper record title Ex: |
Hostname or IP Address | The Database Server name i.e |
Port |
Use SSL | Check to perform SSL verification before connecting, if your database has SSL configured |
Login | Admin account username that will perform rotation. If the admin in the DB user table is in a Host other than %, add the Host value to the user name as |
Password | Admin account password |
Connect Database | Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to |
Database ID | Name of the Azure Database Server i.e. |
Database Type |
|
Provider Group | Azure Resource group name |
Provider Region | Azure Resource region i.e. |
Rotating Admin/Regular Azure PostgreSQL Single or Flexible Database Users with Keeper
In this guide, you'll learn how to rotate passwords for Azure PostgreSQL Database Users and Admin accounts on your Azure environment using Keeper Rotation. Azure PostgreSQL is an Azure managed resource where the PostgreSQL Admin Credentials are defined in the PAM Database record type and the configurations of the PostgreSQL Users are defined in the PAM User record type.
For Azure Managed PostgreSQL database, the Azure SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the Azure network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate with your Azure PostgreSQL Server Database
Your Azure environment is configured per our document
The PAM Database record contains the admin credentials and necessary configurations to connect to the PostgreSQL Server on Azure. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Azure PostgreSQL Server instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Group, Provider Region, and Database ID will enable managing the PAM Database Record through the Azure SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
If you already have a PAM Configuration for your Azure environment, you can simply add the additional Resource Credentials required for rotating machine users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Network Configuration record, visit this page.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Azure environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
For default ports, see
Ex: mysql=3306
For default ports, see
Ex: 1433
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Title
Keeper record title Ex: Azure PostgreSQL Admin
Hostname or IP Address
The Database Server name i.e testdb-psql.postgresql.database.azure.com
Port
For default ports, see port mapping
i.e. 5432
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation. If the Admin account in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Admin account password
Connect Database
Optional database that will be used when connecting to the database server.
For example, PostgreSQL requires a database and so this will default to template1
.
Database ID
Name of the Azure Database Server i.e. testdb-psql
Database Type
postgresql
or postgresql-flexible
Provider Group
Azure Resource group name
Provider Region
Azure Resource region i.e. East US
Title
Configuration name, example: Azure DB Configuration
Environment
Select: Azure Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Azure PostgreSQL database from the pre-requisites
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the directory user account's credentials
Azure ID
A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: Azure-Prod
Client ID
The unique Application (client) ID assigned to your app by Azure AD when the application was registered
Client Secret
The client credentials secret for the Azure application
Subscription ID
The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services.
Tenant ID
The UUID of the Azure Active Directory
Title
Keeper record title i.e. Azure PostgreSQL User1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@SERVERNAME
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1