This Action will connect to a provided AZURE key vault as input and will loop through each secret key (server name). For each server, automatically generate a random unique password (default 24char), set that password against the VM and save the password value against the relevant secret key in the key vault. This will allow you to automate, maintain and manage all your server passwords from a centrally managed key vault in AZURE by only giving relevant access when required by anyone via key vault permissions.

• The Azure key vault must be pre-populated with Secret Keys, where each key represents a server name:

See this tutorial on setting up the Azure key vault and GitHub Secret Credential (if needed).

Copy and paste the following snippet into your .yml file.

- name: Rotate VMs administrator passwords
    uses: Pwd9000-ML/[email protected]
    with:
      key-vault-name: ${{ env.KEY_VAULT_NAME }}
      password-length: 24 ##Optional configuration

Here is a link to an example workflow file using legacy authentication (Client and Secret).

name: Update Azure VM passwords
on: 
  workflow_dispatch:
  schedule:
    - cron:  '0 9 * * 1' ##Runs at 9AM UTC every Monday##

jobs:
  publish:
    runs-on: windows-latest
    env:
      KEY_VAULT_NAME: 'your-key-vault-name'

    steps:
    - name: Check out repository
      uses: actions/[email protected]

    - name: Log into Azure using github secret AZURE_CREDENTIALS
      uses: Azure/[email protected]
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }}
        enable-AzPSSession: true

    - name: Rotate VMs administrator passwords
      uses: Pwd9000-ML/[email protected]
      with:
        key-vault-name: ${{ env.KEY_VAULT_NAME }}

Here is a link to an example workflow file (OIDC) using Open ID Connect(OIDC).

name: Update Azure VM passwords
on: 
  workflow_dispatch:
  schedule:
    - cron:  '0 9 * * 1' ##Runs at 9AM UTC every Monday##

permissions:
  id-token: write
  contents: read

jobs:
  rotatePwd:
    runs-on: windows-latest
    env:
      KEY_VAULT_NAME: 'your-key-vault-name'

    steps:
    - name: Check out repository
      uses: actions/[email protected]

    - name: 'Az CLI login using OIDC'
      uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
        enable-AzPSSession: true

    - name: Rotate VMs administrator passwords
      uses: Pwd9000-ML/[email protected]
      with:
        key-vault-name: ${{ env.KEY_VAULT_NAME }}

• You can use the AzurePreReqs.ps1 (legacy) script to create a key vault, generate a GitHub Secret to use as AZURE_CREDENTIALS and sets relevant RBAC access on the key vault, Key Vault Officer, as well as Virtual Machine Contributor over virtual machines in the Azure subscription.

• You can use the AzurePreReqs-OIDC.ps1 (modern) script to create a key vault, generate a federated GitHub principal to authenticate (passwordless) to Azure using only the following GitHub secrets: secrets.AZURE_CLIENT_ID, secrets.AZURE_TENANT_ID, secrets.AZURE_SUBSCRIPTION_ID. The script also sets relevant RBAC access on the key vault, Key Vault Officer, as well as Virtual Machine Contributor over virtual machines in the Azure subscription.

• Passwords will only be rotated for secrets/names of servers populated in the key vault as secret keys. Only virtual machines that are in a running state will have their passwords rotated:

• Servers will be skipped if they are not running:

• If a server does not exist or the GitHub Secret AZURE_CREDENTIALS does not have access over the Virtual Machine a warning is issued of 'VM NOT found':

• DO NOT populate the key vault with servers that act as Domain Controllers.

As of release v1.1.0; Support for linux and windows runner types now available.

The associated scripts and documentation in this project are released under the MIT License.