AKV secrets do not have an expiration date set
Description
The Azure Key Vault (AKV) enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the AKV are octet sequences with a maximum size of 25k bytes each.
The exp (expiration time) attribute identifies the expiration time on or after which the secret must not be used. By default, secrets do not expire.
We recommend you rotate secrets in the key vault and set an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.
Fix - Runtime
Azure Portal
To change the policy using the Azure Portal, follow these steps:
- Log in to the Azure Portal at https://portal.azure.com.
- Navigate to Key vaults.
- For each Key vault:
a) Click Secrets.
b) Navigate to Settings.
c) Set Enabled? to Yes.
d) Set an appropriate EXPIRATION DATE on all secrets.
CLI Command
To set an EXPIRATION DATE on all secrets, use the following command:
az keyvault secret set-attributes
--name <secretName>
--vault-name <vaultName>
--expires Y-m-d'T'H:M:S'Z'
Fix - Buildtime
Terraform
- Resource: azurerm_key_vault_secret
- Argument: expiration_date
resource "azurerm_key_vault_secret" "example" {
...
+ expiration_date = "2020-12-30T20:00:00Z"
}