Azure Key Vault Secret Expiry Notifications Using Azure Alerts
A colleague of mine was recently looking into how they could trigger notifications to users when a Key Vault Secret was near to or had expired.
There are multiple ways to achieve this, you could use a Logic App, Function App or an Automation Account to name a few, however, each of these methods result in more cost and you also have to provide your email server to send the email.
A requirement for this solution was to see if we could leverage Azure Alerts so we did not have to provide our email server.
I did a lot of searching around the internet and could not find any solution that used Azure Alerts, all solutions were based around the above resources and providing your email server.
This blog is going to dive into a solution I found which will alert users when their Key Vault has a secret that has expired or is approaching its expiry date using Azure Alerts.
Requirements
- Azure Key Vault
- Log Analytics Workspace
- Action Group
- Log Query Alert
Solution
As the title suggests, this solution is going to be based around Azure Alerts.
First, we are going to enable diagnostic settings on our Key Vault and send all logs to our Log Analytics Workspace, we are then going to create an Action Group to configure the type of notification we would like to receive when the alert is triggered, next we are then going to set up our alert which will be a log query alert, finally, we will test the alert!
For this blog, I am going to assume you already have Azure Key Vault and Log Analytics Workspace created.
I implemented this solution via Terraform, but for today’s blog, I am going to show you how to implement via the Azure Portal, that way you can re-engineer the steps in your tool of choice whether that be Terraform, Bicep or any other Infrastructure as Code (IaC) tool you decide to use.
Diagnostic Settings
1. Navigate to Your Key Vault > Diagnostic Settings > + Add Diagnostic Setting.
2. Select all category groups and metrics, then select Send to Log Analytics workspace and choose your destination Log Analytics Workspace:
3. Select Save.
Once we have enabled diagnostic settings, it is time to set up our Action Group in Azure.
Action Group
We need to create an action group in Azure to be used with our alert, action groups enable you to define a list of actions to execute when an alert is triggered, such as sending an email or SMS notification.
To create an action group:
1. Navigate to Azure Portal Home > Alerts > + Create > Action group:
2. On the Basics tab, select your Resource group, Region, Action group name and Display Name, then select Next: Notifications at the bottom of the screen.
3. Under the Notifications tab, select the Notification type of your choice and create a name, for this demo, I am going to use email notifications, so I am going to select Email/SMS message/Push/Voice.
4. On the right-hand pane, please ensure email is ticked and enter the email you would like the alert to be sent to, then select OK:
5. Select Review + Create to create your action group, we will use this action group later in the tutorial.
Azure Alert
We now need to set up our log query alert. Log query alert rules create an alert when a log query returns a particular result.
To set the alert:
1. Navigate to Your Key Vault > Alerts > +Create > Alert Rule:
2. On the conditions tab, select the Signal Name field and select Custom log search:
3. On the Logs pane presented on the right, we need to add our query.
The query we are going to use is a basic query which looks for any rows where the OperationName contains either SecretNearExpiry or SecretExpired.
We then project one column called SecretName, which returns a list of all secret names which have a log entry in the time range specified later in the alert configuration:
AzureDiagnostics
| where OperationName contains "SecretNearExpiry" or OperationName contains "SecretExpired"
| project SecretName = column_ifexists("eventGridEventProperties_data_ObjectName_s", "eventGridEventProperties_data_ObjectName_s")
4. Select Run > Continue Editing Alert.
5. In the Measurement section, choose your desired options, for this demo I am going to use the below options:
6. We then need to choose our dimensions, this part is key if we want a separate alert for each secret, please select the below options, and ensure the checkbox Include all future values is ticked:
7. Next, please select your required Alert logic for your query, for this demo, I have set the below settings which will run the alert rule every 10 minutes and create an alert every time a new log appears for a secret.
8. Select Next: Actions >.
9. Under the Actions tab, select + Select action groups.
10. On the right-hand pane under Select action groups, tick your action group created earlier in the tutorial and hit Select:
11. Select Next: Details >.
12. On the details tab, select the Resource group you would like to save the alert, then complete Alert rule details by selecting the Severity, Alert rule name (this will be the name displayed on the email subject), Alert rule description (optional) and region:
13. Finally, select Review + create to create your alert!
Testing
It is now time to test the alert, we are going to create a new secret in our Key Vault making sure that the expiration date is 45 minutes in the future.
Please ensure you have the relevant permissions on the Key Vault to create secrets.
1. Navigate to Your Key Vault > Secrets > + Generate/Import.
Create a new secret with the following details:
— Name: TestSecret
— Secret value: Random Value
— Set expiration date: true
— Expiration date: {45 minutes in the future, ensure to change the year as default is two years ahead}
3. Select Create.
We not wait! It can take up to 30 minutes for the alert to come through.
Shortly after we should receive an alert letting us know that our secret is due to expire.
The email subject will contain the name of your alert.
The email body will contain the secret name which the log is for:
Conclusion
There we have it, a simple yet effective solution which saves you from setting up Logic Apps or Function Apps to send notifications for Key Vault secrets!
One small downside of this solution is that in the email body, the secret name is under Dimensions.Dimensionvalue1, not ideal, but at least the email contains the secret name.
I recommend setting up separate alerts for secrets that are near to expiring and secrets that have expired, for the purpose and length of this blog, I combined the two, you can easily achieve this by using the queries below in separate alert rules.
Secret Near Expiry
AzureDiagnostics
| where OperationName contains "SecretNearExpiry"
| project SecretName = column_ifexists("eventGridEventProperties_data_ObjectName_s", "eventGridEventProperties_data_ObjectName_s")Secret Expired
AzureDiagnostics
| where OperationName contains "SecretExpired"
| project SecretName = column_ifexists("eventGridEventProperties_data_ObjectName_s", "eventGridEventProperties_data_ObjectName_s")About the author
James Ferrari is a Senior Azure DevOps Engineer here at Version 1.
