Securing sensitive information is paramount in today’s digital landscape, and Azure Key Vault provides a robust solution for managing secrets. To enhance Security, this article shares insight on triggering alerts on key vault secret expiry. In this blog post, we’ll explore how to improve the security of your applications by leveraging Azure Event Grid to trigger timely alerts when a secret in Azure Key Vault is approaching its expiry date. By seamlessly integrating Azure services, we’ll create a proactive alerting mechanism that ensures you stay ahead of potential security risks. Let’s dive into the steps to set up this dynamic and efficient system for managing secrets in the cloud.
Azure Event Grid
Azure Event Grid is a fully managed event routing service in Azure. It enables efficient communication in event-driven applications through features like event-driven architecture, diverse event sources, event filtering, serverless scalability, integration with Azure services, retry mechanisms, and robust security.
Step 1:
Create a key vault. Add a secret and set the expiration date.
Step 2:
Create a logic app from Key Vault Events -> Logic App. After creating a Logic app from Key Vault events, an event subscription with an event grid system topic will be created.
Event subscription and event grid system topic
In the logic app, use the “When a resource event occurs” trigger for the events to subscribe.
Alternatively, we can create a logic app with the trigger “When a resource event occurs.”
We can use either service principal or managed identity for event grid connection.
You can use a service principal.
Name: Enter a name for your App registration
Supported account types: Choose an appropriate account type
Redirect URI: You can give a redirect URI if your application requires it. It is optional
Click on “Register”
A new app registration will be created
Next, you will need Client ID and Tenant ID details for authentication. You can get these details from the app details page.
For client secret -> Go to Certificates & Secrets -> New client secret
Once the client secret is created, copy the secret value, as it will get disabled in some time.
Provide these values in logic app connection and create.
After the connection is created, provide the necessary details for the trigger. (mentioned below)
Logic App steps: The below steps were tried using the Consumption Logic App
Resource Type: Select Microsoft.KeyVault.vaults
Resource name: Select the key vault created. (key vaults will be shown in drop down)
Event Type: Select the event types based on the requirement.
In our case, we need to send alerts when a secret expired or is about to expire.
We can also set the event type if a version of the secret is changed
Click Save. An event subscription with an event grid system topic will be created in the key vault.
Step 3: Logic App to send alerts
Initialize variable: Initialize an array variable for the secret list
List Secrets: This connector lists all secrets in a key vault.
If we need only alerts, we can provide an event grid trigger and an email connector to send alerts. However, this will not include the expiry date in the alert.
We need to use the list secrets connector to get the expiry date.
Secret List: Loops all secrets present in the keyvault
Expiry Date: Get the expiry date in yyyy-MM-dd format.
convertTimeZone(outputs(‘Secret_List’)?[‘validityEndTime’],’UTC’,’India Standard Time’,’yyyy-MM-dd’)
Convert to IST time zone (actual format will be UTC and the time zone given in the vault is IST)
Current Date: To get the current date for comparing with expiry date
convertFromUtc(formatDateTime(utcNow()),’India Standard Time’,’yyyy-MM-dd’)
SecretNearExpiry: Gives the date which is 30 days before the expiry date
formatDateTime(subtractFromTime(outputs(‘Expiry_Date’),30,’Day’),’yyy-MM-dd’)
Condition to check if the secret expired:
Add condition action and check if the current date(outputs(‘Current_Date’)) is equal to the expiry date(outputs(‘Expiry_Date’)). If so, add an email connector in the tree branch.
In the false branch, add another condition (Condition to check if the secret is about to expire) to check if the current date(outputs(‘Current_Date’)) is equal to 30 days less than the expiry date(outputs(‘SecretNearExpiry’))
We can customise the alerts as per our needs.
Email is sent in the below format.
Conclusion on Key Vault Secret Expiry
This article has covered enhancing security by triggering key vault secret expiry alerts. The synergy between Azure Event Grid triggering secret expiration alerts in Key Vault and Logic Apps for swift responses creates an excellent security solution. This seamless integration not only ensures timely notifications but also exemplifies the efficiency of Azure services.
Do you need help?
Do you need help with Logic Apps or Systems Integration in general? Don’t hesitate to contact us at Gislen Software. Our expertise and experience ensure a smooth and efficient Systems Integration. Whether you face technical challenges or need strategic guidance, we are here to help you reach your goals. Contact us today to discuss how we can support your upgrade!
Frequently Asked Questions
What is Azure Key Vault and why is secret expiry monitoring important?
Azure Key Vault is a cloud service for securely storing and managing sensitive information such as secrets, keys, and certificates. Secrets such as API keys, passwords, and connection strings often have expiry dates, and if they expire without being renewed, applications can fail or become vulnerable. Proactive monitoring of expiry dates ensures that secrets are rotated on time, reducing the risk of outages and security gaps.
What is Azure Event Grid and what role does it play in this solution?
Azure Event Grid is a fully managed event routing service that enables event-driven communication between Azure services. In this solution, it acts as the trigger layer. When a secret in Azure Key Vault approaches or reaches its expiry date, Event Grid captures that event and routes it to a Logic App, which then processes the alert and sends a notification. It supports filtering, retry mechanisms, and integrates natively with Key Vault and Logic Apps.
What events from Azure Key Vault can be used to trigger alerts?
Key Vault emits several event types that can be subscribed to via Event Grid. For expiry alerting, the relevant events are those indicating a secret has expired or is near expiry. You can also subscribe to events that fire when a secret version is created or updated. In the Logic App trigger, you select only the event types relevant to your alerting requirements, keeping the workflow focused and efficient.
Why is a Logic App used alongside Event Grid rather than Event Grid alone?
Event Grid handles the event routing but does not contain workflow logic on its own. A Logic App is needed to process the event, retrieve the secret list, calculate expiry dates, compare them against the current date, and send a formatted alert. Without the Logic App, you could receive a basic notification but would not have the expiry date included or the ability to customise the alert content and conditions.
How does the solution know when a secret is about to expire, not just when it has already expired?
The Logic App uses a calculated date that is 30 days before the actual expiry date. During each run, it compares the current date against both the expiry date and the 30-day-prior date. If the current date matches the expiry date, an expired alert is sent. If the current date matches the 30-day-prior date, a near-expiry alert is sent. This two-condition check ensures teams are notified in advance, with enough time to act before the secret actually expires.
Why is the List Secrets connector needed in the Logic App?
The Event Grid trigger alone does not provide the expiry date of the secret in its payload. To include the expiry date in the alert email, the Logic App must call the List Secrets connector, which retrieves all secrets from the Key Vault along with their validity end times. This data is then used to calculate expiry and near-expiry conditions and to format a meaningful, informative alert message.
How are time zones handled in the expiry date comparison?
Azure Key Vault stores expiry dates in UTC. The Logic App converts these dates to India Standard Time using the convertTimeZone function before performing comparisons and formatting the alert. The current date is also retrieved and converted to the same time zone using convertFromUtc. This ensures the comparison is consistent and the dates displayed in alert emails reflect the correct local time rather than UTC.
What authentication options are available for the Event Grid connection in Logic Apps?
Two options are supported. The first is a service principal, which requires creating an app registration in Azure Active Directory and providing the client ID, tenant ID, and client secret values when configuring the Logic App connection. The second option is a managed identity, which removes the need to manage credentials manually by assigning the Logic App an identity with the appropriate permissions. Both approaches are valid; the choice depends on your organisation’s security and governance preferences.
Can the alert conditions and email format be customised?
Yes. The Logic App workflow is fully customisable. The 30-day near-expiry threshold can be adjusted to any number of days that suits your rotation policy. The email content can be formatted to include the secret name, expiry date, key vault name, or any other relevant details available from the List Secrets response. Additional notification channels such as Microsoft Teams or SMS can also be added alongside or instead of email.
Does this solution work with the Consumption tier of Logic Apps?
Yes. The steps described in this guide were implemented and tested using the Consumption Logic App tier. This tier is well suited for event-driven, infrequently triggered workflows like secret expiry alerting, and its pay-per-execution model keeps costs low for this type of use case. The same approach can also be applied to Logic Apps Standard if your organisation requires it for other reasons such as virtual network integration or more advanced workflow capabilities.