This is a utility intended to export some custom Azure Active Directory information out as Prometheus Metrics.
It currently only supports exposing Azure AD Application Secret expiry times.
Azure AD is a wonderful tool for setting up Single Sign On applications. These applications are secured with client secrets can be configured to expire after 1 year, 2 years or never. Ideally short lived credentials with a regular rotation capacity is best but there is no alerting mechanism.
The goal of this project is to provide a Prometheus metric in order to allow long term tracking, dashboarding and alerting of these credential expiry times and hopefully prevent future production incidents.
This requires the following environment variables set:
TENANT_ID: Global tenant ID for ADCLIENT_ID: The client ID for the configured App RegistrationCLIENT_SECRET: The client secret for the configured App Registration
The full list of applications will be queried every 10 minutes.
This requires a Service Priniciple on Azure with the following permissions:
- Microsoft Graph
Application.Read.All
This project uses Python Poetry for local installation.
poetry install
If the above environment variables are not configured this will fall back to using your credentials from az login.
- Kubernetes YAML in
deployto deploy the service - Kubernetes YAML for Prometheus Operator rules / alerts
- Hashicorp Vault support
- Some tests