Key Vault Secret Rotation Orchestration
On schedule or on demand, the flow rotates a secret: reads the current value for rollback, generates a new value, writes a new Key Vault version, propagates it to a dependent App Service setting, verifies the new value is retrievable, and rolls back on failure - logging each step. Automates safe secret rotation end to end.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow automates safe, end-to-end rotation of an Azure Key Vault secret on a schedule. It reads the current secret value (for rollback), generates a new value, writes a new secret version, propagates the value to a dependent Azure App Service's application settings, verifies the new version is retrievable, and - if anything fails - rolls back to the previous value. Every run posts a status summary to a Microsoft Teams channel.
Why it matters: manual secret rotation is risky and frequently skipped. An orchestrated rotation with a built-in verification gate and an automatic compensating rollback keeps credentials fresh without breaking the apps that consume them.
Ships Off (Stopped). The new-version write uses the Key Vault data-plane REST API via HTTP (the connector is read-only for secrets).
Use Case
IT Admins and Developers who need regular, reliable rotation of API keys and connection-string secrets stored in Key Vault, where one or more applications consume the secret through their app settings and must stay in sync.
Flow Architecture
Monthly Rotation Schedule
RecurrenceMonthly rotation (swap for manual/HTTP trigger to rotate on demand).
Initialize Trace & Config
Initialize variableMints a correlation id, binds the vault, secret, subscription/RG, app service + setting key, and Teams ids, generates the new value (two concatenated GUIDs), and prepares an empty old-value holder for rollback.
Rotate & Verify (Scope)
ScopeGetSecret current value -> capture old value -> HTTP PUT new version -> ARM propagate to the App Service setting -> GetSecret re-read -> assertion gate (fails the scope if the re-read value does not match).
Notify Success
Teams (runAfter Scope Succeeded)Posts a rotation success summary.
Rollback (Scope)
Scope (runAfter Scope Failed/TimedOut)Restores the previous secret value (HTTP PUT) and reverts the dependent app setting (ARM).
Notify Rolled Back
TeamsAlerts that rotation failed and was rolled back.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_KeyVaultUrl | String | https://kv-flowlibs-demo.vault.azure.net | Vault base DNS URL for data-plane REST calls. |
| flowlibs_RotationSecretName | String | app-api-key | Name of the secret to rotate. |
| flowlibs_KeyVaultName | String | kv-flowlibs-demo | Vault short name (informational). |
| flowlibs_GraphTenantId | String | <your-tenant-id> | AAD tenant for the HTTP OAuth call. |
| flowlibs_GraphClientId | String | <your-client-id> | Service-principal client id for vault HTTP auth. |
| flowlibs_GraphClientSecret | String | REPLACE_WITH_CLIENT_SECRET | Service-principal secret (used only in the HTTP authentication block). |
| flowlibs_AzureSubscriptionId | String | <your-subscription-id> | Subscription of the dependent App Service. |
| flowlibs_AzureResourceGroup | String | rg-flowlibs-demo | Resource group of the dependent App Service. |
| flowlibs_DependentAppServiceName | String | app-flowlibs-demo | App Service that consumes the secret. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Azure Key Vault | shared_keyvault | GetSecret |
| Azure Resource Manager | shared_arm | Resources_CreateOrUpdateById |
| Microsoft Teams | shared_teams | PostMessageToConversation |
| HTTP | shared_http | PUT /secrets (Key Vault data plane) |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Rotation cadence / on-demand
- Adjust the Recurrence, or replace the trigger with a manual/HTTP-request trigger to rotate on demand.
- Stronger secret generation
- Replace the two-GUID value with your own generator (e.g. an Azure Function or complexity-rule expression).
- Multiple dependents
- Loop an Apply to each over app services/settings, or set each app setting to a Key Vault reference so propagation is automatic.
- Merge-safe app settings
- Read existing settings first and merge before the ARM PUT so other settings are preserved.
- Zero-downtime overlap
- Keep the previous version valid for a grace window (dual-secret overlap) before disabling it.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01New secret value
64 hex chars.
EXPR.02Capture old value
Stored for rollback before the overwrite.
EXPR.03Verification gate (fails scope on mismatch)
Throws on mismatch to trigger rollback.
EXPR.04ARM app-settings body
The new app setting value pushed via ARM.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.