Notify Key Vault Status Changes using event grid subscription and logic apps

Posted on by azsrini

In one of my previous company(pre-Azure days) , i wrote a utility tool that scans through all the certificates in the cert store and sends out email notification to the team with list of certs that are expiring with in 30 days. It was extremely useful tool back in the days , using azure key vault events the same functionality can be achieved quite easily.

Azure Key Vault integration with Event Grid allows users to be notified when the status of a secret stored in key vault has changed, Notifications are supported for all three types of keys in Key vault (key, secret and certificate). Events are pushed through Azure Event Grid to event handlers such as Azure Functions, Azure Logic Apps, or Web-hooks. Key Vault events contain all the information needed to respond to changes in data.

Types of event supported

  1. Certificate New Version Created
  2. Certificate Near Expiry
  3. Certificate Expired
  4. Key New Version Created
  5. Key Near Expiry
  6. Key Expired
  7. Secret New Version Created
  8. Secret Near Expiry
  9. Secret Expired
  10. Vault Access Policy Changed

Let’s integrate logic apps with event grid to receive notification when the new Key version is created using Secret New Version Created event.

  1. Go to key vault, select events , Get Started and click Logic Apps.


  2. On Logic Apps Designer validate the connection and Continue.


  3. On the When a resource event occurs screen, do the following
    • Leave Subscription and Resource Name as default.
    • Select Microsoft.KeyVault.vaults for the Resource Type.
    • there are multiple event available,Select Microsoft.KeyVault.SecretNewVersionCreated for Event Type Item – 1.Select + New Step This will open a window to Choose an action.

  4. Search for Email . Based on your email provider, find and select the matching connector. i’m using  Office 365 Outlook .Gmail is not supported with event grid binding.
  5. Select the Send an email (V2) action.
  6. Build your email template
    • To: Enter the email address to receive the notification emails.
    • Subject and Body: Write the text for your email. Select JSON properties from the selector tool to include dynamic content based on event data. You can retrieve the data of the event using @{triggerBody()?['Data']}.
  7. Click Save as , Enter logic app name and click Create.

Lets Test.

  1. Go to your key vault and select Events > Event Subscriptions , you would see a logic app subscription.
  2. Go ahead and add new version to existing secret or Add new Secret.
  3. once the secret is created , event gets trigger and an email is sent to configured email.

Conclusion
monitoring key vault using event is very useful, key rotations can be automated using event handler , certificate expiration can be notified.i will explain auto rotation of keys using even subscription in upcoming posts.

Useful links
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources

Notify Key Vault Status Changes using event grid subscription and logic apps

Published by azsrini

2 thoughts on “Notify Key Vault Status Changes using event grid subscription and logic apps

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s