arazzo: 1.0.1 info: title: Azure Kubernetes Service Rotate Cluster Certificates summary: Trigger certificate rotation on a cluster, poll until provisioned, and refresh user credentials. description: >- Triggers a rotation of the cluster certificates, polls the cluster Get endpoint until provisioningState reports Succeeded (looping while it is still Updating), and then lists the cluster user credentials so a refreshed kubeconfig can be distributed after rotation. Every step inlines its request so the flow can be read and executed without opening the underlying OpenAPI description. version: 1.0.0 sourceDescriptions: - name: aksApi url: ../openapi/azure-kubernetes-service-openapi.yml type: openapi workflows: - workflowId: rotate-certificates-and-refresh-credentials summary: Rotate AKS cluster certificates, wait for completion, and pull refreshed user credentials. description: >- Calls ManagedClusters_RotateClusterCertificates, polls ManagedClusters_Get until provisioningState is Succeeded, then calls ManagedClusters_ListClusterUserCredentials. inputs: type: object required: - subscriptionId - resourceGroupName - resourceName - accessToken properties: subscriptionId: type: string description: The ID of the target subscription (valid UUID). resourceGroupName: type: string description: The name of the resource group. resourceName: type: string description: The name of the managed cluster. apiVersion: type: string description: The AKS REST API version to use. default: '2025-10-01' accessToken: type: string description: An Azure AD bearer token with user_impersonation scope. steps: - stepId: rotateCertificates description: >- Trigger certificate rotation. AKS accepts the request asynchronously and returns 202 Accepted. operationId: ManagedClusters_RotateClusterCertificates parameters: - name: subscriptionId in: path value: $inputs.subscriptionId - name: resourceGroupName in: path value: $inputs.resourceGroupName - name: resourceName in: path value: $inputs.resourceName - name: api-version in: query value: $inputs.apiVersion - name: Authorization in: header value: "Bearer $inputs.accessToken" successCriteria: - condition: $statusCode == 202 - stepId: pollCluster description: >- Read the cluster and inspect provisioningState. While it is still Updating the flow loops back to this step; once it reports Succeeded the flow advances to refresh credentials. operationId: ManagedClusters_Get parameters: - name: subscriptionId in: path value: $inputs.subscriptionId - name: resourceGroupName in: path value: $inputs.resourceGroupName - name: resourceName in: path value: $inputs.resourceName - name: api-version in: query value: $inputs.apiVersion - name: Authorization in: header value: "Bearer $inputs.accessToken" successCriteria: - condition: $statusCode == 200 outputs: provisioningState: $response.body#/properties/provisioningState onSuccess: - name: rotationComplete type: goto stepId: listUserCredentials criteria: - context: $response.body condition: $.properties.provisioningState == "Succeeded" type: jsonpath - name: keepPolling type: goto stepId: pollCluster criteria: - context: $response.body condition: $.properties.provisioningState != "Succeeded" type: jsonpath - stepId: listUserCredentials description: >- List the cluster user credentials. The response carries a kubeconfigs array whose first entry holds the refreshed base64-encoded kubeconfig. operationId: ManagedClusters_ListClusterUserCredentials parameters: - name: subscriptionId in: path value: $inputs.subscriptionId - name: resourceGroupName in: path value: $inputs.resourceGroupName - name: resourceName in: path value: $inputs.resourceName - name: api-version in: query value: $inputs.apiVersion - name: Authorization in: header value: "Bearer $inputs.accessToken" successCriteria: - condition: $statusCode == 200 outputs: kubeconfigName: $response.body#/kubeconfigs/0/name kubeconfig: $response.body#/kubeconfigs/0/value outputs: provisioningState: $steps.pollCluster.outputs.provisioningState kubeconfig: $steps.listUserCredentials.outputs.kubeconfig