# Rotate Key

Rotates cryptographic keys in Azure Key Vault by creating a new key version. The action targets one or more named keys in a specified vault and runs rotations concurrently (up to five keys in parallel). Each key's result is reported individually, so partial success is possible.

{% hint style="info" %}
**NHI feature**: ROTATE\_KEY is part of Veza's Non-Human Identity (NHI) management capabilities and requires the `NHI_ROTATE_KEY` feature flag. It does not require an LCM license. For ad-hoc key rotation outside of a scheduled workflow, use the key entity's action menu in Access Intelligence.
{% endhint %}

**Example Use Cases:**

* Rotate Azure Key Vault keys on a scheduled basis to meet compliance requirements
* Automatically rotate keys when a service account is offboarded
* Trigger key rotation after a security incident

| Setting     | Description                                                                                              |
| ----------- | -------------------------------------------------------------------------------------------------------- |
| Data Source | The Azure Key Vault datasource providing credentials for the vault                                       |
| Vault Name  | Name of the Azure Key Vault (3-24 characters, alphanumeric and hyphens, must start and end alphanumeric) |
| Key Names   | One or more key names to rotate. Each key gets a new version; the previous version is not deleted        |

**Supported Integrations:**

| Integration     | Notes                                                                                       |
| --------------- | ------------------------------------------------------------------------------------------- |
| Azure Key Vault | Only supported provider. Requires an Azure datasource configured with Key Vault permissions |

## Required Azure permissions

The Veza app registration must have the `rotate` operation on the target Key Vault. The `List` permission used for extraction is not sufficient. Grant the rotation permission using the model the vault uses:

* **RBAC model (recommended)**: Assign the **Key Vault Crypto Officer** role to the Veza app registration on the target vault. This role includes the `keys/rotate` permission.
* **Access policy model (legacy)**: Under Key Permissions, add **Rotate**, **Get Rotation Policy**, and **Set Rotation Policy**.

Microsoft recommends RBAC over access policies for new vault deployments. See [Azure RBAC vs. access policies](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy) and the [Azure Key Vault integration](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md#7-add-key-vault-permissions-optional).

## Result placeholders (for notification templates)

| Placeholder             | Description                         |
| ----------------------- | ----------------------------------- |
| `{{ROTATED_KEY_COUNT}}` | Count of keys successfully rotated  |
| `{{FAILED_KEY_COUNT}}`  | Count of keys that failed to rotate |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/lifecycle-management/policies-workflows/actions/rotate-key.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.