About

This document provides examples of how to rotate keys for various platforms and deployments.

Requirements

• Monte Carlo Role and Subscription: You must have the Account Owner role in Monte Carlo. Additionally, your account must be subscribed to either the Scale or Enterprise tier with the Advanced Networking option for a hybrid deployment.
• Cloud Admin: Administrative access to your cloud (e.g., Azure, AWS, or GCP) is necessary.

Platforms

Azure Agent

Storage Accounts

The Azure Agent uses two storage accounts where you can rotate keys.

More information about managing storage account access keys is available in the Azure documentation here.

Steps: Rotating Durable Functions storage access keys

1. Before starting, confirm that the agent is operational. See docs here for details.
2. Then, confirm any associated integrations. You can do this by navigating to the Integrations tab in Settings (here) and selecting "Test" under the kebab menu (vertical triple dots).
3. Next, open the Azure Portal and locate the Azure Function. This can be done by searching in the agent's resource group.
4. From the function's Settings tab, select 'Environment variables', and then locate the variable named AzureWebJobsStorage. Copy its value for future reference, and leave this tab open.

5. Next, open the Azure Storage Account Portal and locate the storage account named mcdagent0fs<ID>. From there, open the Security + Networking tab and select 'Access keys'.

   ❗️

   Please ensure that you select the storage account with '0fs' in the name and not '1fs'.

6. Next, check the value of the Connection string for key 1 and compare it with the value of the AzureWebJobsStorage environment variable in the Azure Function from step 4. If this is the first time the keys have been rotated, they should match. If they do not match, check if key 2 is being used.

   👍

   The following instructions assume that key 1 is the one being used.

   If key 2 is being used instead, swap the two keys in all instructions.

7. Rotate the key not in use (e.g., key 2) by clicking the “Rotate key” icon next to the key name.
8. Then, copy the value for Connection string for the rotated key (e.g., key 2).
9. Navigate back to the Azure Function from step 4 and set the Connection string from the previous step as the value for the following two environment variables in the Azure Function:
   • AzureWebJobsStorage
   • WEBSITE_CONTENTAZUREFILECONNECTIONSTRING
10. Apply the changes, then confirm and save the changes to the environment variables
11. Restart the Azure Function.
12. Repeat steps 1 and 2 to confirm the agent and integrations operate as expected.

    ℹ️

    If you need to roll back the change, update the values for AzureWebJobsStorage and WEBSITE_CONTENTAZUREFILECONNECTIONSTRING to their previous values and restart the function.

13. Once you confirm that the agent is working as expected, you can rotate the key that was previously used (i.e., the key not currently in use) and test the agent again by repeating step 12.

Steps: Rotating Data Store storage access keys

Since the datastore storage account is accessed using a managed identity, you can rotate the keys without affecting the Azure Function. Even when keys are not used to access the storage, it is recommended to rotate them anyway, as they are generated and provide access to the storage account

1. Before starting, confirm that the agent is operational. See docs here for details.
2. Then, confirm any associated integrations. You can do this by navigating to the Integrations tab in Settings (here) and selecting "Test" under the kebab menu (vertical triple dots).
3. Open the Azure Storage Account Portal and navigate to the account named mcdagent1fs<ID>.

   ❗️

   Please ensure that you select the storage account with '1fs' in the name and not '0fs'.

4. From there, open the Security + Networking tab and select 'Access keys'.

4. Then, rotate both keys by clicking the 'rotate key' icon next to each key.
5. Repeat steps 1 and 2 to confirm the agent and integrations operate as expected.