Alert or event on secret expiry


  • Is it possible to configure Azure Key Vault to trigger an alert or event on secret expiry?

    I have a service that uses secrets stored in key vault and some expire after a year, some after 90 days - I wanted to be alerted when a secret is about to expire so that I can trigger the updation process.


    Tuesday, November 1, 2016 7:23 PM

All replies

  • Hi,

    Have never come across a way this can be done today.

    However you can write a custom powershell/c# script that can do this and schedule it to run everyday. The expiry details is send as part of the key/secret details. The script will need to access the vault with 'Get' access for this.

    EDIT: I went on to try this myself and ended up writing a powershell script and running it on Azure Runbook. Check out Expiry Notification for Azure Key Vault Keys and Secrets for more details

    Please mark posts as answers/helpful if it answers your query. This would be helpful for others facing the same kind of problem

    • Edited by Rahul P Nath Wednesday, December 7, 2016 6:52 PM added post link
    • Proposed as answer by Rahul P Nath Saturday, June 23, 2018 7:12 PM
    Wednesday, November 2, 2016 4:26 AM
  • Thank you for the great work you do for Azure Key Vault. We are currently working on a way for Key Vault to send notifications. So the way it would work is you put a secret in Key Vault and tell key vault how often you want to rotate the secret. (Ex every 30 days or so). Then you also tell Key Vault what types of notification you want to receive. Some of the types of notifications you want to receive are a) I want the secret to rotate every 30 days, but at 80% lifetime notify me that my secret is "about to expire" b) I want Key Vault to create a new version of a certificate or a Key and when Key Vault creates a new version notify me when it succeeded or failed The way Key vault will notify customers is Customers will create an Azure Event Grid message queue. And Key Vault will put a message on customers event grid channel. And so customers can react to these messages programmatically. They could write an Azure Function that would notify their apps or in the case of adhoc secrets (API keys) the Azure function could create a new version of the secret and put the new value in Key Vault. Sign up here to be notified when this feature is ready
    Tuesday, September 11, 2018 8:15 PM
  • This is great feature!

    (Assume you are on the Key Vault team/Microsoft. Probably you should link the live id with msft id so that it comes up here as well :) )

    Please mark posts as answers/helpful if it answers your query. This would be helpful for others facing the same kind of problem

    Tuesday, September 11, 2018 8:36 PM