After secondary key rotation, While using new key Getting "The input authorization token can't serve the request"

Chandrahasan Subbaiyan 21 Reputation points
2021-09-26T10:04:27.917+00:00

I have rotated the secondary key using pipeline, then tried to use this new secondary key to connect cosmos-db from my application. Getting following error for some time then its working fine.

The input authorization token can't serve the request. Please check that the expected payload is built as per the protocol, and check the key being used. Server used the following payload to sign

How long is maximum time to wait before using this new key ?

This article https://learn.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key mentioned "Validate that the new secondary key works consistently against your Azure Cosmos DB account. Key regeneration can take anywhere from one minute to multiple hours depending on the size of the Cosmos DB account."

Is it possible to validate the new key through pipeline before using it in application ?

I want to rotate the key while application runtime without any error. Please help

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,455 questions
0 comments
Accepted answer
  1. KalyanChanumolu-MSFT 8,316 Reputation points
    2021-09-27T03:54:37.16+00:00

    @Chandrahasan Subbaiyan Welcome to Microsoft Q&A Forums.

    You should first regenerate the key which is not currently being used by the application configuration.
    This process could take a few hours depending on the size of your database because the key is used to encrypt the data at rest.

    You can have separate pipelines for regenerating the keys and updating the configuration so you can run the latter over the weekends or during non-business hours.

    Azure CosmosDB now supports Data plane role-based access control (RBAC).
    So, you can disable the primary/secondary keys on your account and do away with the need to rotate keys completely.

    Here is a tutorial that demonstrates the rotation for Azure Storage Account, but you get the idea for Cosmos DB as well.
    Automate the rotation of a secret for resources that have two sets of authentication credentials

    Please let us know if you have further questions.

    ----------

    If an answer is helpful, please click on 130616-image.png or upvote 130671-image.png which might help other community members reading this thread.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest