Get notified of changes in Azure Key Vault by using Event Grid
There are numerous ways to secure and audit your Azure Key Vault setup and usage. In 2019, I wrote Who accessed my Azure Key Vault?, which is still relevant.
In this article, I want to talk about how to set up automatic notifications when something change related to your secrets.
Events in Key Vaults
Before we drill into the steps to get this done, I want to talk about events in general, and things we might want to think about before we dive in.
What events can we subscribe to?
The Azure Key Vault uses EventGrid for events. The currently supported events are listed on the Microsoft Docs website, listed under "Event Grid event schema" for the Key Vault docs.
Events can be subscribed to relating to three types of objects - Certificates, Keys, and Secrets. Here's what we can hook up:
Certificates
- New Certificate Version created
- Certificate expires within 30 days
- Certificate has expired
Keys
- New Key Version created
- Key expires within 30 days
- Key has expired
Secrets
- New Secret Version created
- Secret expires within 30 days
- Secret has expired
Keep this in mind
When you design your systems to consume events, keep in mind a couple of important things.
- Always ensure your consumer validates where the event is coming from. A single EventGrid can handle events from multiple Key Vaults, across multiple subscriptions.
- Build resilient applications, and ensure you can easily handle changes in the services. I've talked about that in my podcast (Ctrl+Alt+Azure Episode 11 - Considerations and Good Practices for Azure Developers).
How To: Monitor Key Vault with Event Grid
Let's get to the interesting stuff. If you read the previous sections, we have walked through a couple of use cases I find interesting, and some additional information that can be beneficial around the events we now want to consume.
It's time to build an integration.
For the sake of this demonstration, I am going to populate an Azure Storage queue with the events. As you can see from the picture below, there are quite some options readily available.
You can either go to your Key Vault and "Events", and pick one of these nice looking boxes:
Or, you can create a new "Event Subscription" like this, which I'm going for:
We can now define the details about this subscription. Schema, topics, event types to subscribe to, and more.
I selected all 10 available events from the dropdown, ensuring I get notifications about everything that I can:
For the purpose of this article, I am leaving the remaining settings unchanged. However, below is a short walk-through of other interesting settings you can do during creation.
Dead-Lettering
As per the Microsoft Docs website about Dead letter and retry policy, you can configure this on your subscription to define what should happen if the events cannot be delivered to storage.
Retry policies
You can also configure retry policies at this stage. There are default configurations available, and as per Microsoft Docs about set retry policy, the system will automatically try 24 hours, or 30 times.
If you want to change this default behavior, you can do that during creation, too.
Event Subscription Expiration Time
You can define when the subscription is going to expire.
Filters
You can define filters for your events, to ensure only events matching your filters are delivered.
- Subject Filtering: Filter on the subject, for example that it begins with, or ends with a particular string.
- Advanced Filters: Filter based on attributes of the events. This is an
AND
filter, hence only events matching ALL filters are delivered.
Review the results
After creation, you should see the subscription under "Events" - "Subscriptions" in your Azure Key Vault, and any events associated with it.
Below, you can see that my new subscription has a few "Published Events" in the metrics, because I manually updated a few secrets for the sake of providing this beautiful line on the chart.
In my configuration section, I chose to send my events as queue messages to an Azure Storage Queue, and I can see that it's received a few events already:
Every event looks something like this, with the unique detail for that given event.
{
"id": "dc272235-15f4-4fee-b56d-d37bbb7eb01d",
"topic": "/subscriptions/REDACTED/resourceGroups/demos/providers/Microsoft.KeyVault/vaults/acrencryptiondemo",
"subject": "AnotherSecretName",
"eventType": "Microsoft.KeyVault.SecretNewVersionCreated",
"data": {
"Id": "https://acrencryptiondemo.vault.azure.net/secrets/AnotherSecretName/195d1c3f247a43648b92e1f2efcaed40",
"VaultName": "acrencryptiondemo",
"ObjectType": "Secret",
"ObjectName": "AnotherSecretName",
"Version": "195d1c3f247a43648b92e1f2efcaed40",
"NBF": null,
"EXP": null
},
"dataVersion": "1",
"metadataVersion": "1",
"eventTime": "2020-08-14T18:51:10.8137761Z"
}
From here on, I can decide what actions I need to take.
Summary and links
We've seen how easy it is to make use of Azure Event Grid and the event subscriptions.
The rest is up to you! Thank you for reading - please leave a comment with your thoughts.