Monitoring Key Vault with Azure Event Grid

Key Vault integration with Event Grid allows users to be notified when the status of a secret stored in key vault has changed. A status change is defined as a secret that is about to expire (30 days before expiration), a secret that has expired, or a secret that has a new version available. Notifications for all three secret types (key, certificate, and secret) are supported.

Applications can react to these events using modern serverless architectures, without the need for complicated code or expensive and inefficient polling services. Events are pushed through Azure Event Grid to event handlers such as Azure Functions, Azure Logic Apps, or even to your own Webhook, and you only pay for what you use. For information about pricing, see Event Grid pricing.

Key Vault events and schemas

Event Grid uses event subscriptions to route event messages to subscribers. Key Vault events contain all the information you need to respond to changes in your data. You can identify a Key Vault event because the eventType property starts with "Microsoft.KeyVault".

For more information, see the Key Vault event schema.

Warning

Notification events are triggered only on new versions of secrets, keys and certificates, and you must first subscribe to the event on your key vault in order to receive these notifications.

Practices for consuming events

Applications that handle Key Vault events should follow a few recommended practices:

  • Multiple subscriptions can be configured to route events to the same event handler. It's important not to assume events are from a particular source, but to check the topic of the message to ensure that it comes from the key vault you're expecting.
  • Similarly, check that the eventType is one you're prepared to process, and do not assume that all events you receive will be the types you expect.
  • Ignore fields you don't understand. This practice will help keep you resilient to new features that might be added in the future.
  • Use the "subject" prefix and suffix matches to limit events to a particular event.

Next steps