Azure Kubernetes Service · Arazzo Workflow

Azure Kubernetes Service Rotate Cluster Certificates

Version 1.0.0

Trigger certificate rotation on a cluster, poll until provisioned, and refresh user credentials.

1 workflow 1 source API 1 provider
View Spec View on GitHub AzureCloudContainersDevOpsKubernetesOrchestrationArazzoWorkflows

Provider

azure-kubernetes-service

Workflows

rotate-certificates-and-refresh-credentials
Rotate AKS cluster certificates, wait for completion, and pull refreshed user credentials.
Calls ManagedClusters_RotateClusterCertificates, polls ManagedClusters_Get until provisioningState is Succeeded, then calls ManagedClusters_ListClusterUserCredentials.
3 steps inputs: accessToken, apiVersion, resourceGroupName, resourceName, subscriptionId outputs: kubeconfig, provisioningState
1
rotateCertificates
ManagedClusters_RotateClusterCertificates
Trigger certificate rotation. AKS accepts the request asynchronously and returns 202 Accepted.
2
pollCluster
ManagedClusters_Get
Read the cluster and inspect provisioningState. While it is still Updating the flow loops back to this step; once it reports Succeeded the flow advances to refresh credentials.
3
listUserCredentials
ManagedClusters_ListClusterUserCredentials
List the cluster user credentials. The response carries a kubeconfigs array whose first entry holds the refreshed base64-encoded kubeconfig.

Source API Descriptions

openapi
aksApi https://raw.githubusercontent.com/api-evangelist/azure-kubernetes-service/refs/heads/main/openapi/azure-kubernetes-service-openapi.yml

Arazzo Workflow Specification

azure-kubernetes-service-rotate-certificates-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Azure Kubernetes Service Rotate Cluster Certificates
  summary: Trigger certificate rotation on a cluster, poll until provisioned, and refresh user credentials.
  description: >-
    Triggers a rotation of the cluster certificates, polls the cluster Get
    endpoint until provisioningState reports Succeeded (looping while it is still
    Updating), and then lists the cluster user credentials so a refreshed
    kubeconfig can be distributed after rotation. Every step inlines its request
    so the flow can be read and executed without opening the underlying OpenAPI
    description.
  version: 1.0.0
sourceDescriptions:
- name: aksApi
  url: ../openapi/azure-kubernetes-service-openapi.yml
  type: openapi
workflows:
- workflowId: rotate-certificates-and-refresh-credentials
  summary: Rotate AKS cluster certificates, wait for completion, and pull refreshed user credentials.
  description: >-
    Calls ManagedClusters_RotateClusterCertificates, polls ManagedClusters_Get
    until provisioningState is Succeeded, then calls
    ManagedClusters_ListClusterUserCredentials.
  inputs:
    type: object
    required:
    - subscriptionId
    - resourceGroupName
    - resourceName
    - accessToken
    properties:
      subscriptionId:
        type: string
        description: The ID of the target subscription (valid UUID).
      resourceGroupName:
        type: string
        description: The name of the resource group.
      resourceName:
        type: string
        description: The name of the managed cluster.
      apiVersion:
        type: string
        description: The AKS REST API version to use.
        default: '2025-10-01'
      accessToken:
        type: string
        description: An Azure AD bearer token with user_impersonation scope.
  steps:
  - stepId: rotateCertificates
    description: >-
      Trigger certificate rotation. AKS accepts the request asynchronously and
      returns 202 Accepted.
    operationId: ManagedClusters_RotateClusterCertificates
    parameters:
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: resourceName
      in: path
      value: $inputs.resourceName
    - name: api-version
      in: query
      value: $inputs.apiVersion
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    successCriteria:
    - condition: $statusCode == 202
  - stepId: pollCluster
    description: >-
      Read the cluster and inspect provisioningState. While it is still Updating
      the flow loops back to this step; once it reports Succeeded the flow
      advances to refresh credentials.
    operationId: ManagedClusters_Get
    parameters:
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: resourceName
      in: path
      value: $inputs.resourceName
    - name: api-version
      in: query
      value: $inputs.apiVersion
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      provisioningState: $response.body#/properties/provisioningState
    onSuccess:
    - name: rotationComplete
      type: goto
      stepId: listUserCredentials
      criteria:
      - context: $response.body
        condition: $.properties.provisioningState == "Succeeded"
        type: jsonpath
    - name: keepPolling
      type: goto
      stepId: pollCluster
      criteria:
      - context: $response.body
        condition: $.properties.provisioningState != "Succeeded"
        type: jsonpath
  - stepId: listUserCredentials
    description: >-
      List the cluster user credentials. The response carries a kubeconfigs
      array whose first entry holds the refreshed base64-encoded kubeconfig.
    operationId: ManagedClusters_ListClusterUserCredentials
    parameters:
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: resourceName
      in: path
      value: $inputs.resourceName
    - name: api-version
      in: query
      value: $inputs.apiVersion
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      kubeconfigName: $response.body#/kubeconfigs/0/name
      kubeconfig: $response.body#/kubeconfigs/0/value
  outputs:
    provisioningState: $steps.pollCluster.outputs.provisioningState
    kubeconfig: $steps.listUserCredentials.outputs.kubeconfig