You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/operator-nexus/howto-credential-rotation.md
+14-6Lines changed: 14 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,9 +4,9 @@ description: Describes the credential rotation lifecycle including automated rot
4
4
ms.service: azure-operator-nexus
5
5
ms.custom: template-how-to
6
6
ms.topic: how-to
7
-
ms.date: 10/9/2024
8
-
author: eak13
9
-
ms.author: ekarandjeff
7
+
ms.date: 12/02/2024
8
+
author: matternst7258
9
+
ms.author: matthewernst
10
10
---
11
11
12
12
# Credential rotation management for Operator Nexus on-premises devices
@@ -22,7 +22,7 @@ This article describes the Operator Nexus credential rotation lifecycle includin
22
22
- For information on configuring the key vault to receive credential rotation updates, see [Setting up Key Vault for Managed Credential Rotation](how-to-credential-manager-key-vault.md).
23
23
24
24
> [!IMPORTANT]
25
-
> A key vault must be provided on the Cluster, otherwise credentials will not be retrievable. Microsoft Support does not have access to the credentials.
25
+
> A key vault must be provided on the Cluster, otherwise credentials won't be retrievable. Microsoft Support doesn't have access to the credentials.
26
26
27
27
## Rotating credentials
28
28
@@ -37,7 +37,7 @@ The Operator Nexus Platform offers a managed credential rotation process that au
37
37
When a new Cluster is created, the credentials are automatically rotated during deployment. The managed credential process then automatically rotates these credentials periodically based on the credential type. The updated credentials are written to the key vault associated with the Cluster resource.
38
38
39
39
> [!NOTE]
40
-
> The introduction of this capability enables auto-rotation for existing instances. If any of the supported credentials have not been rotated within the expected rotation time period, they will be rotated during the management upgrade.
40
+
> The introduction of this capability enables auto-rotation for existing instances. If any of the supported credentials hasn't rotated within the expected rotation time period, they'll rotate during the management upgrade.
41
41
42
42
With the 2024-07-01-GA API, the credential rotation status is available on the Bare Metal Machine or Storage Appliance resources in the `secretRotationStatus` data construct for each of the rotated credentials.
43
43
@@ -63,10 +63,18 @@ In the `secretRotationStatus` object, the following fields provide context to th
63
63
-`secretArchiveReference`: A reference to the Key Vault that the credential is stored. It contains the ID of the key vault, the secret name of the stored credential, and the version of the secret that was previously rotated.
64
64
65
65
>[!CAUTION]
66
-
> If a credential is changed on a device outside of the automatic credential rotation service, the next rotation will likely fail due to the secret not being known by the software. This prevents further automated rotation and a [baremetal machine replace](./howto-baremetal-functions.md) is required to address manually changed credentials.
66
+
> If a credential is changed on a device outside of the automatic credential rotation service, the next rotation will likely fail due to the secret not being known by the software. This issue prevents further automated rotation and a [BareMetalMachine replace](./howto-baremetal-functions.md) is required to address manually changed credentials.
67
67
68
68
Operator Nexus also provides a service for preemptive rotation of the above Platform credentials. This service is available to customers upon request through a support ticket. Credential rotation for Operator Nexus Fabric devices also requires a support ticket. Instructions for generating a support request are described in the next section.
69
69
70
+
## Manual changes to credentials
71
+
72
+
The Credential Manager generates a secure password from the current value updates all BMC nodes and the KeyVault associated with the cluster. The Credential Manager checks KeyVault accessibility and uses the last known rotated secret to access the BMC and then performs the rotation.
73
+
74
+
Manually rotated secrets aren't recognized by the platform, preventing the Credential Manager from accessing the BMC to update the new password. For iDRAC rotation, the Credential Manager passes a new credential to the BareMetalMachine controller and the attempts to access the iDRAC password for rotation. Manual changes to the credential require a `replace`[action](./howto-baremetal-functions.md) being performed doesn't allow the platform to recognize the new password.
75
+
76
+
The unknown state of credentials to the platform impacts monitoring and the ability to perform future runtime version upgrades.
77
+
70
78
## Create a support request
71
79
72
80
Users raise credential rotation requests by [contacting support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade). These details are required in order to perform the credential rotation on the requested target instance:
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments