You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/operator-nexus/howto-credential-rotation.md
+10-5Lines changed: 10 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -37,9 +37,9 @@ The Operator Nexus Platform offers a managed credential rotation process that au
37
37
When a new Cluster is created, the credentials are automatically rotated during deployment. The managed credential process then automatically rotates these credentials periodically based on the credential type. The updated credentials are written to the key vault associated with the Cluster resource.
38
38
39
39
> [!NOTE]
40
-
> The introduction of this capability enables auto-rotation for existing instances. If any of the supported credentials haven't rotated within the expected rotation time period, they'll rotate during the management upgrade.
40
+
> The introduction of this capability enables autorotation for existing instances. Rotation occurs during the management upgrade if any of the supported credentials are due for rotation within the expected rotation time period.
41
41
42
-
With the 2024-07-01-GA API, the credential rotation status is available on the Bare Metal Machine or Storage Appliance resourcesin the `secretRotationStatus` data construct for each of the rotated credentials.
42
+
The 2024-07-01-GA version of the Network Cloud API added the credential rotation status on the Bare Metal Machine and Storage Appliance resources. This information can be found in the secretRotationStatus data construct for each of the rotated credentials. The 2025-07-01-preview & subsequent versions of the API adds the keyVaultUri to this data construct to indicate which Key Vault contains the rotated secret.
43
43
44
44
One example of this `secretRotationStatus` looks like:
45
45
```
@@ -48,6 +48,7 @@ One example of this `secretRotationStatus` looks like:
@@ -60,7 +61,11 @@ In the `secretRotationStatus` object, the following fields provide context to th
60
61
61
62
-`lastRotationTime`: The timestamp in UTC of the previous successful rotation.
62
63
-`rotationPeriodDays`: The number in days the Credential Manager service is scheduled to rotate this credential. This value isn't remaining days from the `lastRotatedTime` since rotation can be delayed, but how many days on a schedule the service rotates a particular credential.
63
-
-`secretArchiveReference`: A reference to the Key Vault that the credential is stored. It contains the ID of the key vault, the secret name of the stored credential, and the version of the secret that was previously rotated.
64
+
-`secretArchiveReference`: A reference to the Key Vault that the credential is stored. It contains:
65
+
- the URI of the key vault
66
+
- the ID of the key vault
67
+
- the secret name of the stored credential
68
+
- the version of the secret that was previously rotated
64
69
65
70
>[!CAUTION]
66
71
> If a credential is changed on a device outside of the automatic credential rotation service, the next rotation will likely fail due to the secret not being known by the software. This issue prevents further automated rotation.
@@ -77,8 +82,8 @@ The unknown state of credentials to the platform impacts monitoring and the abil
77
82
78
83
In order to restore the state of the credential, it must be reset to a value that the platform recognizes. There are two options for this situation:
79
84
80
-
1. Run a [BareMetalMachine replace](./howto-baremetal-functions.md) action providing the current active credentials. The replace action allows the machine to use provided credentials to reset credential rotation. This is the recommended option if significant changes are made to the machine.
81
-
1. Reset the BMC credential back to the value prior to the manual change. If a key vault is configured for receiving rotated credential, then the proper value may be obtained using information from the `secretRotationStatus` data for the Bare Metal Machine resource. The rotation status for the BMC Credential indicates the secret key and version within the key vault for the appropriate value. Once the credential is set to match the value expected by the credential rotation system, rotation will proceed normally.
85
+
1. Run a [BareMetalMachine replace](./howto-baremetal-functions.md) action providing the current active credentials. The replace action allows the machine to use provided credentials to reset credential rotation. This action is the recommended option if significant changes are made to the machine.
86
+
1. Reset the BMC credential back to the value before the manual change. If a key vault is configured for receiving rotated credential, then the proper value can be obtained using information from the `secretRotationStatus` data for the Bare Metal Machine resource. The rotation status for the BMC Credential indicates the secret key and version within the key vault for the appropriate value. Once the credential is set to match the value expected by the credential rotation system, rotation occurs normally.
82
87
83
88
Example `secretRotationStatus` for BMC credential. Use the `secretName` and `secretVersion` to find the proper value in the cluster key vault.
0 commit comments