Azure Key Vault as Event Grid source

This article provides the properties and schema for events in Azure Key Vault. For an introduction to event schemas, see Azure Event Grid event schema.

Available event types

An Azure Key Vault account generates the following event types:

Event full name Event display name Description
Microsoft.KeyVault.CertificateNewVersionCreated Certificate New Version Created Triggered when a new certificate or new certificate version is created.
Microsoft.KeyVault.CertificateNearExpiry Certificate Near Expiry Triggered when the current version of certificate is about to expire. (The event is triggered 30 days before the expiration date.)
Microsoft.KeyVault.CertificateExpired Certificate Expired Triggered when the current version of a certificate is expired.
Microsoft.KeyVault.KeyNewVersionCreated Key New Version Created Triggered when a new key or new key version is created.
Microsoft.KeyVault.KeyNearExpiry Key Near Expiry Triggered when the current version of a key is about to expire. (The event is triggered 30 days before the expiration date.)
Microsoft.KeyVault.KeyExpired Key Expired Triggered when the current version of a key is expired.
Microsoft.KeyVault.SecretNewVersionCreated Secret New Version Created Triggered when a new secret or new secret version is created.
Microsoft.KeyVault.SecretNearExpiry Secret Near Expiry Triggered when the current version of a secret is about to expire. (The event is triggered 30 days before the expiration date.)
Microsoft.KeyVault.SecretExpired Secret Expired Triggered when the current version of a secret is expired.
Microsoft.KeyVault.VaultAccessPolicyChanged Vault Access Policy Changed Triggered when an access policy on Key Vault changed. It includes a scenario when Key Vault permission model is changed to/from Azure role-based access control.

Event examples

The following example show schema for Microsoft.KeyVault.SecretNewVersionCreated:

[
   {
      "id":"00eccf70-95a7-4e7c-8299-2eb17ee9ad64",
      "topic":"/subscriptions/{subscription-id}/resourceGroups/sample-rg/providers/Microsoft.KeyVault/vaults/sample-kv",
      "subject":"newsecret",
      "eventType":"Microsoft.KeyVault.SecretNewVersionCreated",
      "eventTime":"2019-07-25T01:08:33.1036736Z",
      "data":{
         "Id":"https://sample-kv.vault.azure.net/secrets/newsecret/ee059b2bb5bc48398a53b168c6cdcb10",
         "VaultName":"sample-kv",
         "ObjectType":"Secret",
         "ObjectName ":"newsecret",
         "Version":" ee059b2bb5bc48398a53b168c6cdcb10",
         "NBF":"1559081980",
         "EXP":"1559082102"
      },
      "dataVersion":"1",
      "metadataVersion":"1"
   }
]

Event properties

An event has the following top-level data:

Property Type Description
topic string Full resource path to the event source. This field isn't writeable. Event Grid provides this value.
subject string Publisher-defined path to the event subject.
eventType string One of the registered event types for this event source.
eventTime string The time the event is generated based on the provider's UTC time.
id string Unique identifier for the event.
data object App Configuration event data.
dataVersion string The schema version of the data object. The publisher defines the schema version.
metadataVersion string The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value.

The data object has the following properties:

Property Type Description
id string The ID of the object that triggered this event
VaultName string The key vault name of the object that triggered this event
ObjectType string The type of the object that triggered this event
ObjectName string The name of the object that triggered this event
Version string The version of the object that triggered this event
NBF number The not-before date in seconds since 1970-01-01T00:00:00Z of the object that triggered this event
EXP number The expiration date in seconds since 1970-01-01T00:00:00Z of the object that triggered this event

Tutorials and how-tos

Title Description
Monitoring Key Vault events with Azure Event Grid Overview of integrating Key Vault with Event Grid.
Tutorial: Create and monitor Key Vault events with Event Grid Learn how to set up Event Grid notifications for Key Vault.

Next steps