I’m happy with this solution as a secure password generator, as the official Python docs secrets - Generate secure random numbers for managing secrets - Python 3.11.0 documentation say this method will create “cryptographically strong random numbers suitable for managing data such as passwords”. How do we know this is a cryptographically secure password generation method? If you are running this within an existing process you may find it better to add steps to ask product owners what they want the key vault secret name to be, so you can use that as a dynamic value in the API request for each run.Īlternatively, create a random string for each run so it’s not updating the same secret with an updated password. Running the logic app to test should show it now creates a secure 20 character password from our runbook and then uses the REST API to create a secret with this value. "value": the drop down ‘Add new parameter’ select Authentication and specify system-assigned managed identity with an audience URL: Locate the key vault resource and grant the managed identity access (secret permissions) as per Microsoft docs under access policies on the key vaultĬreate a HTTP request connector in the logic app and select PUT as our method of call.Īmend the ?api-version=7.3.Copy the managed identity principal ID that is generated for the identity.In your Logic App go to settings > Identity > Turn on System assigned managed identity.To expand further on this, you can publish the secret into a key vault using the REST API. Now if you were to manually trigger the logic app you can see the job output shows the password string that has been generated from the python runbook. Specify the subscription, resource group, automation account & python runbook.Ĭheck the wait for job parameter as we need the flow to pause while the runbook executes.Ĭreate the ‘Get job output’ connector and specify the dynamic content for Job ID so we can grab the output of the runbook script. Within your logic app, create a connector from Azure Automation for ‘Create job’. Save & Publish the runbook to complete Logic App Password = ''.join(secrets.choice(alphabet) for i in range(20)) # for a 20-character passwordĤ. Edit your runbook and paste in the Python script that will generate the password #!/usr/bin/env python3Īlphabet = string.ascii_letters + string.digits Create an automation runbook using the Python with runtime version 3.8 (important we use this version)ģ.This has led me to the following solution, which I hope others will find useful. I needed to find a way to produce a cryptographically secure password string for use. However, on further research articles such as this identify it is not secure. I had previously explored executing java code in the Inline Code connector, which utilises an integration account to generate a password string. This guide is going to break down how to create a secure password string in a logic app flow and upload this secret into a key vault using REST API.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |