Get notified of changes in Azure Key Vault by using Event Grid

There are numerous ways to secure and audit your Azure Key Vault setup and usage. In 2019, I wrote Who accessed my Azure Key Vault?, which is still relevant.

In this article, I want to talk about how to set up automatic notifications when something change related to your secrets.

Events in Key Vaults

Before we drill into the steps to get this done, I want to talk about events in general, and things we might want to think about before we dive in.

What events can we subscribe to?

The Azure Key Vault uses EventGrid for events. The currently supported events are listed on the Microsoft Docs website, listed under "Event Grid event schema" for the Key Vault docs.

Events can be subscribed to relating to three types of objects - Certificates, Keys, and Secrets. Here's what we can hook up:

Certificates

  • New Certificate Version created
  • Certificate expires within 30 days
  • Certificate has expired

Keys

  • New Key Version created
  • Key expires within 30 days
  • Key has expired

Secrets

  • New Secret Version created
  • Secret expires within 30 days
  • Secret has expired

Keep this in mind

When you design your systems to consume events, keep in mind a couple of important things.

How To: Monitor Key Vault with Event Grid

Let's get to the interesting stuff. If you read the previous sections, we have walked through a couple of use cases I find interesting, and some additional information that can be beneficial around the events we now want to consume.

It's time to build an integration.

For the sake of this demonstration, I am going to populate an Azure Storage queue with the events. As you can see from the picture below, there are quite some options readily available.

You can either go to your Key Vault and "Events", and pick one of these nice looking boxes:

Choose a subscription type for Azure Key Vault events.

Or, you can create a new "Event Subscription" like this, which I'm going for:

Create a new Azure Key Vault Event Subscription from the Azure Portal

We can now define the details about this subscription. Schema, topics, event types to subscribe to, and more.

Azure Portal allows us to create new Event Subscriptions in an Azure Key Vault. Here we are creating a new event for the Azure Storage Queue endpoint.

I selected all 10 available events from the dropdown, ensuring I get notifications about everything that I can:

I opted-in for all the event types, to really try and stay on top of things.

For the purpose of this article, I am leaving the remaining settings unchanged. However, below is a short walk-through of other interesting settings you can do during creation.

Dead-Lettering

As per the Microsoft Docs website about Dead letter and retry policy, you can configure this on your subscription to define what should happen if the events cannot be delivered to storage.

Dead-lettering configuration for events.

Retry policies

You can also configure retry policies at this stage. There are default configurations available, and as per Microsoft Docs about set retry policy, the system will automatically try 24 hours, or 30 times.

If you want to change this default behavior, you can do that during creation, too.

Azure Key Vault subscriptions to Azure Event Hub with retry policies.

Event Subscription Expiration Time

You can define when the subscription is going to expire.

Define an expiration time for the event subscription.

Filters

You can define filters for your events, to ensure only events matching your filters are delivered.

  • Subject Filtering: Filter on the subject, for example that it begins with, or ends with a particular string.
  • Advanced Filters: Filter based on attributes of the events. This is an AND filter, hence only events matching ALL filters are delivered.
Add optional filters for events, to only parse events matching the filters.

Review the results

After creation, you should see the subscription under "Events" - "Subscriptions" in your Azure Key Vault, and any events associated with it.

Below, you can see that my new subscription has a few "Published Events" in the metrics, because I manually updated a few secrets for the sake of providing this beautiful line on the chart.

Azure Key Vault events displaying the execution of events on the Events dashboard.

In my configuration section, I chose to send my events as queue messages to an Azure Storage Queue, and I can see that it's received a few events already:

Aazure Storage Queue showing the recently added events that were triggered.

Every event looks something like this, with the unique detail for that given event.

{
    "id": "dc272235-15f4-4fee-b56d-d37bbb7eb01d",
    "topic": "/subscriptions/REDACTED/resourceGroups/demos/providers/Microsoft.KeyVault/vaults/acrencryptiondemo",
    "subject": "AnotherSecretName",
    "eventType": "Microsoft.KeyVault.SecretNewVersionCreated",
    "data": {
        "Id": "https://acrencryptiondemo.vault.azure.net/secrets/AnotherSecretName/195d1c3f247a43648b92e1f2efcaed40",
        "VaultName": "acrencryptiondemo",
        "ObjectType": "Secret",
        "ObjectName": "AnotherSecretName",
        "Version": "195d1c3f247a43648b92e1f2efcaed40",
        "NBF": null,
        "EXP": null
    },
    "dataVersion": "1",
    "metadataVersion": "1",
    "eventTime": "2020-08-14T18:51:10.8137761Z"
}

From here on, I can decide what actions I need to take.

We've seen how easy it is to make use of Azure Event Grid and the event subscriptions.

The rest is up to you! Thank you for reading - please leave a comment with your thoughts.