如何轮换 Azure 日志分析工作区的密钥

Question

What is the recommended way of programmatically rotating keys for Azure Log Analytics Workspace?

The only described way I found was through REST API . However it does not seem to be working:

curl -X POST -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" -d "" https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/resourcegroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${LAW_NAME}/listKeys?api-version=2015-03-20
curl -X POST -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" -d "" https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/resourcegroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${LAW_NAME}/regenerateSharedKey?api-version=2015-03-20

The first call listing keys works without problems. The second, trying to rotate keys, fails with error message:

{
  "message": "No HTTP resource was found that matches the request URI 'https://opinsightsweuams.trafficmanager.net/api/subscriptions/XXXXX/resourcegroups/XXXXX/providers/Microsoft.OperationalInsights/workspaces/XXXXX/regenerateSharedKey?api-version=2015-03-20&contextId=XXXXX'."
}

Does this API still works? Are there any other ways to rotate the keys?

Answer 1

Update 01/23:

I got the feedback from support team.

The Regenerate Shared Keys api had a little changed previously, but the doc is not updated:(.

You need to add the parameter keyType with value primarySharedKey or secondarySharedKey .

The reason of the change: previously, when use the api to regenerate key, both the primary and secondary keys are regenerated together. So there is a user feedback that we should update the api and make it each time only re-generate one key.

I tested it, working fine. The test screenshot as below:

---

Original:

The Regenerate Shared Keys api does not work now.

The actual api used is as below:

for re-regenerating primary key :

https://www.mms.microsoft.com/Embedded/Api/arm/management/CustomerManagement/AgentRegenerateSharedKey?keyType=primarySharedKey .

for for re-regenerating secondary key :

https://www.mms.microsoft.com/Embedded/Api/arm/management/CustomerManagement/AgentRegenerateSharedKey?keyType=secondarySharedKey

Here are the steps to check the api, and how to re-generate a new shared key.

Step 1.Nav to azure portal -> your Log Analytics Workspace -> Advanced Settings -> Connected Sources -> Windows Servers, and press F12 button to check the actual request(I'm using Edge browser) -> then click the Regenerate button for Primary Key. Screenshot as below(And as you can see from the screenshot, the actual request url is https://www.mms.microsoft.com/Embedded/Api/xxx ):

Step 2.Since we know that the actual url, then how can we get the token?

The simple way is that you can get the token from step 1, when view the quest details via F12 button, you can also find the token(it's temporary).

Another way is that, open visual studio -> login with you azure account -> create a console project -> then install the package Microsoft.Azure.Services.AppAuthentication . Then write the following code in the console project:

using Microsoft.Azure.Services.AppAuthentication;
using System;

namespace ConsoleApp17
{
    class Program
    {
        static void Main(string[] args)
        {            
            AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
            string accessToken = azureServiceTokenProvider.GetAccessTokenAsync("https://management.core.windows.net/").Result;

            Console.WriteLine(accessToken);

            Console.WriteLine("**completed**");
            Console.ReadLine();
        }        

    }
}

Step 3:After get the token, you can use the token to re-generate the Shared key.

I did the test to re-generate primary key, and using the tool postman.

open postman, for headers and url , follow the screenshot below:

for Body , follow the screenshot below:

At last, click the send button, you can see the reponse is 200 ok . And refresh the portal, you can see the new primary key is generated.

If you prefer to use curl or other programming language to do this, just follow the steps above, and provide proper request headers / token / request body .

Answer 2

Just to add to @ivan-yang solution, the way to achieve it with the curl is:

RESP=`curl -X POST -d "grant_type=client_credentials&client_id=${servicePrincipalId}&client_secret=${servicePrincipalKey}&resource=https%3A%2F%2Fmanagement.azure.com%2F" https://login.microsoftonline.com/${TENANT_ID}/oauth2/token`
TOKEN=`echo ${RESP} | jq -r '.access_token'`

curl -X POST -H "x-ms-client-auth-token: Bearer ${TOKEN}" -H "Content-Type: application/json" \
    -H "x-ms-client-workspace-name: ${LAW_NAME}" \
    -H "x-ms-client-workspace-path: /subscriptions/${SUBSCRIPTION_ID}/resourcegroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${LAW_NAME}" \
    -d "{\"workspacePath\":\"/subscriptions/${SUBSCRIPTION_ID}/resourcegroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${LAW_NAME}\",\"data\":{}}" \
    https://www.mms.microsoft.com/Embedded/Api/arm/management/CustomerManagement/AgentRegenerateSharedKey?keyType=secondarySharedKey

-- EDIT

it is even easier with az rest command:

az rest -m POST -u https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/resourcegroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${LAW_NAME}/regenerateSharedKey?api-version=2015-03-20\&keyType=secondarySharedKey