Dependencies (PRO)¶

Dependencies maps which Azure resources consume Key Vault credentials, enabling blast radius analysis and coordinated full-stack rotation.

Overview¶

Dependencies solves a critical question: "If I rotate this secret, what breaks?"

• Resource discovery: Find all Azure resources that use Key Vault credentials
• Dependency mapping: Map credentials to their consumers
• Blast radius analysis: Understand impact before rotation
• Full-stack rotation: Rotate credential AND update all dependent resources
• Automatic rollback: Restore previous state if any update fails

Supported Resource Types¶

Dependencies supports 11 Azure resource types:

Compute¶

Integration¶

Messaging¶

Data¶

How Dependency Mapping Works¶

Discovery Phase¶

1. Scan Azure resources: Query ARM for supported resource types
2. Extract configuration: Read app settings, connection strings
3. Identify KV references: Find @Microsoft.KeyVault(...) patterns
4. Match to secrets: Link references to discovered secrets

Matching Algorithms¶

Dependencies uses multiple matching methods:

Confidence Levels¶

Viewing Dependencies¶

Dependency Graph¶

1. Go to Assets tab
2. Click on a vault
3. Select a secret
4. View Dependencies panel

The dependency graph shows:

• Secret at center
• Connected resources (App Services, Functions, etc.)
• Confidence indicators
• Resource health status

Blast Radius View¶

For a specific secret:

1. Click Blast Radius button
2. View all resources that would be affected
3. Review confidence levels
4. Identify any unknown dependencies

Full-Stack Rotation¶

Full-stack rotation updates a credential AND all its dependent resources in one operation.

How It Works¶

1. Generate new credential value
   ↓
2. Update Key Vault secret
   ↓
3. Update Resource 1 (App Service)
   ↓
4. Update Resource 2 (Function App)
   ↓
5. Update Resource N...
   ↓
6. Verify all resources healthy
   ↓
7. Complete (or rollback on failure)

Running Full-Stack Rotation¶

1. Navigate to the secret in Assets
2. Click Rotate button
3. Review blast radius
4. Confirm dependent resources to update
5. Click Rotate Now
6. Monitor progress in real-time

Rollback¶

If any resource update fails:

1. Automatic rollback triggered
2. Original secret value restored in Key Vault
3. Resources reverted to previous config
4. Failure logged with details

Resource Updates¶

App Services / Function Apps¶

Dependencies updates:

• Application settings (@Microsoft.KeyVault references)
• Connection strings
• Slot settings (if applicable)

Container Apps¶

• Environment variables with KV references
• Secrets configuration

API Management¶

• Named values
• Backend credentials

Logic Apps¶

• Connection parameters
• Workflow definitions (if applicable)

SQL Servers¶

• Admin password (with caution)

Configuration¶

Enable Dependency Scanning¶

1. Go to Settings > Dependencies
2. Enable Dependency Scanning
3. Configure scan schedule (daily recommended)
4. Save

Excluded Resources¶

Exclude specific resources from dependency mapping:

1. Go to Settings > Dependencies
2. Add to Exclusion List
3. Enter resource ID or pattern
4. Save

Write Permissions¶

Full-stack rotation requires additional Azure permissions:

# Grant Contributor on resource groups containing dependent resources
az role assignment create \
  --assignee $PRINCIPAL_ID \
  --role "Contributor" \
  --scope /subscriptions/{sub-id}/resourceGroups/{rg-name}

Or more granular roles:

• Web Site Contributor for App Services
• Logic App Contributor for Logic Apps
• etc.

API Reference¶

List Dependencies¶

GET /api/assets/dependencies

Get Dependencies for Secret¶

GET /api/assets/dependencies/secret/{secret_id}

Get Blast Radius¶

GET /api/assets/dependencies/blast-radius/{secret_id}

Response:

{
  "secret": {
    "id": "secret-123",
    "name": "api-key",
    "vault": "kv-production"
  },
  "affected_resources": [
    {
      "id": "/subscriptions/.../Microsoft.Web/sites/my-app",
      "type": "Microsoft.Web/sites",
      "name": "my-app",
      "confidence": 0.85,
      "match_method": "keyvault_reference"
    }
  ],
  "total_affected": 3
}

Trigger Full-Stack Rotation¶

POST /api/assets/dependencies/rotate/{secret_id}
Content-Type: application/json

{
  "include_resources": ["resource-id-1", "resource-id-2"],
  "skip_verification": false
}

Troubleshooting¶

Dependencies not found¶

Cause: Resources not using Key Vault references.

Fix: - Migrate to @Microsoft.KeyVault(...) references - Use Azure tags to improve matching

Low confidence matches¶

Cause: Naming conventions don't match.

Fix: - Add tags to both secrets and resources - Use consistent naming (e.g., api-key in both places)

Rotation failed - resource update error¶

Cause: Insufficient permissions on resource.

Fix: - Grant Contributor role on the resource group - Check resource-specific role requirements

Rollback triggered¶

Cause: One or more resources failed to update.

Check: - View rotation history for failure details - Check Azure Activity Log for errors - Verify resource permissions

Best Practices¶

1. Use Key Vault References: Migrate to @Microsoft.KeyVault(...) for high-confidence mapping
2. Consistent Naming: Use matching names for secrets and settings
3. Tag Resources: Add keyvault-secret tags for explicit mapping
4. Test in Non-Prod: Validate full-stack rotation in staging first
5. Review Blast Radius: Always check impact before rotating
6. Monitor After Rotation: Watch application health post-rotation