All Apps and Add-ons

Splunk Add-on for Microsoft Cloud Services: Will the add-on support SAS key rotation?

pkeller
Contributor

With regards to Azure Storage Accounts using SAS key, will the Splunk Add-on for Microsoft Cloud Services support situations where the SAS key is being rotated? I see only a field for a single SAS token.

0 Karma

lding_splunk
Splunk Employee
Splunk Employee

Hi Pkeller, thanks for reporting this issue.

A quick question, what's your practice to configure SAS and how would you like the add-on to support that?
Is this the idea?
1. configure multiple SAS with different expiration date at one time in azure portal
2. store all SAS tokens generated and hope the add-on can rotate them at different time?

I think generating multiple SAS tokens for one time is not the best practice as mentioned below:
https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1

some other options:
1. generate a SAS token with no expiration date
2. as above bwu mentioned, update the SAS token when it's expired.

Kindly let me know your comments. Thanks!

0 Karma

pkeller
Contributor

The answer I received back from our SME's related to Azure are [inline]

A quick question, what's your practice to configure SAS and how would you like the add-on to support that?

We would like to configure one read only SAS token for each Access Key. As the Access Keys are rotated, the associated SAS token becomes invalid. If the add-on could support a pair of SAS tokens we would be able to rotate one key/token pair per maintenance cycle and not risk a service interruption.

Simply put if the add-on could support 2 tokens and had the logic build in to switch to the second key if the primary fails that would be optimal.

Is this the idea?
1. configure multiple SAS with different expiration date at one time in azure portal

No, one token per key.

2. store all SAS tokens generated and hope the add-on can rotate them at different time?

Yes, but they should rotate based on failure to connect/pull.

Many thanks for your help,
pkeller

0 Karma

lding_splunk
Splunk Employee
Splunk Employee

thanks pkeller for the reply.
Regarding to the concept "one token per key", is it a security policy in your company?
It seems technically Access key and SAS token has nothing to do with each other. OTOH, The Add-on can use account name + access key or account name + SAS token to do the authentication.

It's recommend you to create a token with no expiration date or very future expiration date, does that make sense?

0 Karma

chadmedeiros
Path Finder

Hello, I'd like to add my voice to this as I am have the same concern as pkeller.

We don't have the luxury of setting SAS token expiry date 'far in the future' -- it needs to be less than 3 months. Our system is configured to generate a new SAS token one week before the current token expires.

pkeller's solution is a good idea --> If we can have two SAS tokens in each storage account config then when the first one expires/fails the second one will be attempted.

Another big concern is that we need to have a way to update SAS tokens without manually typing.

The Azure Monitor Add-on for Splunk, for instance, connects directly to a keyvault to retrieve SAS tokens -- this is a valuable feature.

0 Karma

bwu_splunk
Splunk Employee
Splunk Employee

When you configure an input to collect the data stored in Azure Storage, you need to choose one and only one storage account for this input. Each storage account will mapping one SAS key. So if your SAS key has expired or become invalid, you need to configure the Storage Account and type the valid SAS key.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!