Updating secret for Azure Service Principal in CloudHealth
search cancel

Updating secret for Azure Service Principal in CloudHealth

book

Article ID: 385698

calendar_today

Updated On:

Products

CloudHealth

Issue/Introduction

Service principals configured to allow CloudHealth to access your Azure tenancy make use of a secret that can expire, and will need to be renewed on occasion. 

The secret expiring can lead to;

  • Asset metadata not being up to date, as the service principal grants the platform the access required to pull this data
  • Cost & Usage reports not being up to date, in the case of EA's and MCA's the service principal grants role based access to the billing accounts associated with these two billing methods, loss of access via the service principal severs the platforms ability to collect from the billing account. 

Resolution

To update the secret used by the service principal please follow these steps - 

  1. Navigate to Azure Cloud -> Setup -> Accounts -> Azure Service Principal, locate the service principal displaying "critical" and note the application ID returned.
  2. Navigate to the Azure Console -> App Registrations -> select the App Registration associated that displays the same Application ID as collected in Step 1 -> Selecting the Certificates & Secrets option across the left Nav -



  3. All existing client secrets should be listed, you will likely find the current one has reached its expiry time. Please then select the "New Client Secret Option highlighted below -



  4. You will be prompted to define a description for the Ssecret and an expiry time.

  5. Once the secret has been generated copy the entry from the "Value" field (highlighted below) rather than the Secret ID field.



  6. Finally paste that secret into the "Key" field under the CloudHealth Service Principal that displayed critical in Step 1 and validate that the Service Principal moves to a healthy state.


Optional: To mitigate this issue in the future you can create a policy within CloudHealth to alert you to when the secret associated with the Service Principal has expired. 

To do so follow these steps - 

1. Navigate to Governance -> Policies, and select Create New Policy

2. Within the policy set the resource type as Azure Service Principal - 



3. For the condition set the topic as configuration, and the measure as status, and set the "When any Azure Service Principals' status is" dropdown to critical as per the below - 

 
4. Under the Actions set an action to email yourself or whomever manages the Azure side of the tenant to alert them that the Service Principal has moved to critical. 

Powered by Wolken Software