Use Logic Apps to receive email about status changes of key vault secrets

In this guide you will learn how to respond to Azure Key Vault events that are received via Azure Event Grid by using Azure Logic Apps. By the end, you will have an Azure logic app set up to send a notification email every time a secret is created in Azure Key Vault.

For an overview of Azure Key Vault / Azure Event Grid integration, see Monitoring Key Vault with Azure Event Grid (preview).

Prerequisites

  • An email account from any email provider that is supported by Azure Logic Apps (such as Office 365 Outlook). This email account is used to send the event notifications. For a complete list of supported Logic App connectors, see the Connectors overview
  • An Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
  • A key vault in your Azure Subscription. You can quickly create a new key vault by following the steps in Set and retrieve a secret from Azure Key Vault using Azure CLI.

Create a Logic App via Event Grid

First, create Logic App with event grid handler and subscribe to Azure Key Vault "SecretNewVersionCreated" events.

To create an Azure Event Grid subscription, follow these steps:

  1. Open the Azure portal using the following link: https://portal.azure.com/?Microsoft_Azure_KeyVault_ShowEvents=true&Microsoft_Azure_EventGrid_publisherPreview=true

  2. In the Azure portal, go to your key vault, select Events > Get Started and click Logic Apps

    Key Vault - events page

  3. On Logic Apps Designer validate the connection and click Continue

    Logic App Designer - connection

  4. On the When a a resource event occurs screen, do the following:

    • Leave Subscription and Resource Name as default.
    • Select Microsoft.KeyVault.vaults for the Resource Type.
    • Select Microsoft.KeyVault.SecretNewVersionCreated for Event Type Item - 1.

    Logic App Designer - event handler

  5. Select + New Step This will open a window to Choose an action.

  6. Search for Email. Based on your email provider, find and select the matching connector. This tutorial uses Office 365 Outlook. The steps for other email providers are similar.

  7. Select the Send an email (V2) action.

    Logic App Designer - add email

  8. Build your email template:

    • To: Enter the email address to receive the notification emails. For this tutorial, use an email account that you can access for testing.
    • Subject and Body: Write the text for your email. Select JSON properties from the selector tool to include dynamic content based on event data. You can retrieve the data of the event using @{triggerBody()?['Data']}.

    Your email template may look like this example.

    Logic App Designer - add email

  9. Click Save as.

  10. Enter a name for new logic app and click Create.

    Logic App Designer - add email

Test and verify

  1. Go to your key vault on the Azure portal and select Events > Event Subscriptions. Verify that a new subscription created

    Logic App Designer - add email

  2. Go to your key vault, select Secrets, and select + Generate/Import. Create a new secret for testing purposes name the key and keep the remaining parameters in their default settings.

    Key Vault - Create Secret

  3. On the Create a secret screen provide any name, any value, and select Create.

When the secret is created, an email will be received at the configured addresses.

Next steps