question

ChandrahasanSubbaiyan-0851 avatar image
0 Votes"
ChandrahasanSubbaiyan-0851 asked KalyanChanumolu-MSFT commented

After secondary key rotation, While using new key Getting "The input authorization token can't serve the request"

I have rotated the secondary key using pipeline, then tried to use this new secondary key to connect cosmos-db from my application. Getting following error for some time then its working fine.

The input authorization token can't serve the request. Please check that the expected payload is built as per the protocol, and check the key being used. Server used the following payload to sign

How long is maximum time to wait before using this new key ?

This article https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key mentioned "Validate that the new secondary key works consistently against your Azure Cosmos DB account. Key regeneration can take anywhere from one minute to multiple hours depending on the size of the Cosmos DB account."


Is it possible to validate the new key through pipeline before using it in application ?

I want to rotate the key while application runtime without any error. Please help



azure-cosmos-db
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

KalyanChanumolu-MSFT avatar image
1 Vote"
KalyanChanumolu-MSFT answered KalyanChanumolu-MSFT commented

@ChandrahasanSubbaiyan-0851 Welcome to Microsoft Q&A Forums.

You should first regenerate the key which is not currently being used by the application configuration.
This process could take a few hours depending on the size of your database because the key is used to encrypt the data at rest.

You can have separate pipelines for regenerating the keys and updating the configuration so you can run the latter over the weekends or during non-business hours.

Azure CosmosDB now supports Data plane role-based access control (RBAC).
So, you can disable the primary/secondary keys on your account and do away with the need to rotate keys completely.

Here is a tutorial that demonstrates the rotation for Azure Storage Account, but you get the idea for Cosmos DB as well.
Automate the rotation of a secret for resources that have two sets of authentication credentials

Please let us know if you have further questions.


If an answer is helpful, please click on 130616-image.png or upvote 130671-image.png which might help other community members reading this thread.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @KalyanChanumolu-MSFT ,

Thanks for your response.

Assume I have two pipelines , one for key regenerating keys and another for refresh application configuration. Once first pipeline is completed then, How long needs to be wait for execute the second pipeline ? How to check the new key is Ready to use ?

You have mentioned during weekends or non-business hours but this is not helping. Can you provide some maximum hours like 24h or 48h or 72 hours ?
Or
Provide some azure cli command to check that new key is ready to use.

Hope you understand my problem, I just want to know when I can execute the second pipeline.



0 Votes 0 ·
KalyanChanumolu-MSFT avatar image KalyanChanumolu-MSFT ChandrahasanSubbaiyan-0851 ·

@ChandrahasanSubbaiyan-0851 Thank you for providing additional context.

Currently there is no CLI command to check the status of key regeneration.
You should be good to schedule the second pipeline after 24 hours.

Please reach out if you still face any issues.


If an answer is helpful, please click on 130616-image.png or upvote 130671-image.png which might help other community members reading this thread.

0 Votes 0 ·