Triggering Alerts on Key Vault Secret Expiry

Improving Security: Triggering Alerts on Key Vault Secret Expiry

Securing sensitive information is paramount in today’s digital landscape, and Azure Key Vault provides a robust solution for managing secrets. To enhance Security, this article shares insight on triggering alerts on key vault secret expiry. In this blog post, we’ll explore how to improve the security of your applications by leveraging Azure Event Grid to trigger timely alerts when a secret in Azure Key Vault is approaching its expiry date. By seamlessly integrating Azure services, we’ll create a proactive alerting mechanism that ensures you stay ahead of potential security risks. Let’s dive into the steps to set up this dynamic and efficient system for managing secrets in the cloud.

Azure Event Grid

Azure Event Grid is a fully managed event routing service in Azure. It enables efficient communication in event-driven applications through features like event-driven architecture, diverse event sources, event filtering, serverless scalability, integration with Azure services, retry mechanisms, and robust security.

Step 1:

Create a key vault. Add a secret and set the expiration date.

Step 2:

Create a logic app from Key Vault Events -> Logic App. After creating a Logic app from Key Vault events, an event subscription with an event grid system topic will be created.


Event subscription and event grid system topic


In the logic app, use the “When a resource event occurs” trigger for the events to subscribe.

Alternatively, we can create a logic app with the trigger “When a resource event occurs.”

We can use either service principal or managed identity for event grid connection.

You can use a service principal.

Name: Enter a name for your App registration

Supported account types: Choose an appropriate account type

Redirect URI: You can give a redirect URI if your application requires it. It is optional

Click on “Register

A new app registration will be created

Next, you will need Client ID and Tenant ID details for authentication. You can get these details from the app details page.


For client secret -> Go to Certificates & Secrets -> New client secret

Once the client secret is created, copy the secret value, as it will get disabled in some time.

Provide these values in logic app connection and create.


After the connection is created, provide the necessary details for the trigger. (mentioned below)

Logic App steps: The below steps were tried using the Consumption Logic App

Resource Type: Select Microsoft.KeyVault.vaults

Resource name: Select the key vault created. (key vaults will be shown in drop down)

Event Type: Select the event types based on the requirement.

In our case, we need to send alerts when a secret expired or is about to expire.

We can also set the event type if a version of the secret is changed

Click Save. An event subscription with an event grid system topic will be created in the key vault.

Step 3: Logic App to send alerts

Initialize variable: Initialize an array variable for the secret list

List Secrets: This connector lists all secrets in a key vault.

If we need only alerts, we can provide an event grid trigger and an email connector to send alerts. However, this will not include the expiry date in the alert.

We need to use the list secrets connector to get the expiry date.

Secret List: Loops all secrets present in the keyvault

Expiry Date: Get the expiry date in yyyy-MM-dd format.

convertTimeZone(outputs(‘Secret_List’)?[‘validityEndTime’],’UTC’,’India Standard Time’,’yyyy-MM-dd’)

Convert to IST time zone (actual format will be UTC and the time zone given in the vault is IST)

Current Date: To get the current date for comparing with expiry date

convertFromUtc(formatDateTime(utcNow()),’India Standard Time’,’yyyy-MM-dd’)

SecretNearExpiry: Gives the date which is 30 days before the expiry date


Condition to check if the secret expired:

Add condition action and check if the current date(outputs(‘Current_Date’)) is equal to the expiry date(outputs(‘Expiry_Date’)). If so, add an email connector in the tree branch.

In the false branch, add another condition (Condition to check if the secret is about to expire) to check if the current date(outputs(‘Current_Date’)) is equal to 30 days less than the expiry date(outputs(‘SecretNearExpiry’))

We can customise the alerts as per our needs.

Email is sent in the below format.

Conclusion on Key Vault Secret Expiry

This article has covered enhancing security by triggering key vault secret expiry alerts. The synergy between Azure Event Grid triggering secret expiration alerts in Key Vault and Logic Apps for swift responses creates an excellent security solution. This seamless integration not only ensures timely notifications but also exemplifies the efficiency of Azure services.

Do you need help?

Do you need help with Logic Apps or Systems Integration in general? Don’t hesitate to contact us at Gislen Software. Our expertise and experience ensure a smooth and efficient Systems Integration. Whether you face technical challenges or need strategic guidance, we are here to help you reach your goals. Contact us today to discuss how we can support your upgrade!

Was this article helpful?