Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Regenerate API Access Keys for OpenAI Service Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the API access keys created for your Azure OpenAI service instances are regularly regenerated (rotated) in order to meet security and compliance requirements. These keys are used to access Microsoft Azure AI services API. By default, it is recommended to regenerate API access keys every 90 days.

Security

The API access keys available for your Azure OpenAI service instances should be regenerated periodically to enhance security by minimizing the risk of unauthorized access if the keys are compromised. Regularly updating access keys helps protect sensitive data and maintain the integrity of the system.

Remediation / Resolution

To regenerate (rotate) the API access keys created for your Microsoft Azure OpenAI service instances, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure OpenAI blade at https://portal.azure.com/#view/Microsoft_Azure_ProjectOxford/CognitiveServicesHub/~/OpenAI.

03 Select the Azure subscription that you want to access from the Subscription equals all filter box, and choose Apply.

04 Click on the name (link) of the Azure OpenAI service instance that you want to examine. An OpenAI service instance has Kind set to OpenAI.

05 In the navigation panel, under Resource Management, select Keys and Endpoint and choose Show Keys to view the API access keys created for the selected OpenAI resource.

06 Regenerating your API access keys can affect the applications that are dependent on these keys. To initiate the regeneration process, you must first configure your applications to use the secondary key (i.e. KEY 2) for continued access to the service.

07 Choose Regenerate Key1 to regenerate the primary API access key, then select Yes to confirm the operation.

08 Once the new primary access key is generated, configure your applications to reference the new access key (i.e. KEY 1).

09 Choose Regenerate Key2 to regenerate the secondary API access key. Select Yes to confirm the operation and complete the regeneration (rotation) process.

10 Repeat steps no. 4 - 9 for each Azure OpenAI instance that you want to configure, available within the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run cognitiveservices account list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure OpenAI service instance available in the current subscription: 

az cognitiveservices account list
  --output table
  --query '[?(kind==`OpenAI`)].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested OpenAI service instance identifiers: 

Name                           ResourceGroup
---------------------------    ------------------------------
tm-openai-project5-instance    cloud-shell-storage-westeurope
tm-openai-workspace-server     cloud-shell-storage-westeurope

03 Run cognitiveservices account keys list command (Windows/macOS/Linux) with the name of the Azure OpenAI service instance that you want to examine as the identifier parameter, to describe the API access keys created for the selected OpenAI resource: 

az cognitiveservices account keys list
  --name tm-openai-project5-instance
  --resource-group cloud-shell-storage-westeurope

04 The command output should return the API access keys available for your OpenAI instance: 

{
	"key1": "abcd1234abcd1234abcd1234abcd1234",
	"key2": "1234abcd1234abcd1234abcd1234abcd"
}

05 Regenerating your API access keys can affect the applications that are dependent on these keys. To initiate the regeneration process, you must first configure your applications to use the secondary key (i.e. "key2" attribute value) for continued access to the service. Run cognitiveservices account keys regenerate command (Windows/macOS/Linux) to regenerate the primary API access key (i.e. "key1" value): 

az cognitiveservices account keys regenerate
  --name tm-openai-project5-instance
  --resource-group cloud-shell-storage-westeurope
  --key-name key1

06 The command output should return the API access keys available for your OpenAI instance, including the newly generated key: 

{
	"key1": "12341234123412341234123412341234",
	"key2": "1234abcd1234abcd1234abcd1234abcd"
}

07 Once the new primary access key is generated, configure your applications to reference the new access key ("key1" attribute value).

08 Run cognitiveservices account keys regenerate command (Windows/macOS/Linux) to regenerate the secondary API access key ("key2" value): 

az cognitiveservices account keys regenerate
  --name tm-openai-project5-instance
  --resource-group cloud-shell-storage-westeurope
  --key-name key2

09 The command output should return the new API access keys generated for your OpenAI instance: 

{
	"key1": "12341234123412341234123412341234",
	"key2": "abcdabcdabcdabcdabcdabcdabcdabcd"
}

10 Repeat steps no. 3 - 9 for each Azure OpenAI instance that you want to configure, available in the selected Azure subscription.

11 Repeat steps no. 1 – 10 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Jun 21, 2024

Related AIServices rules