Key Vault Notifications

It is important to be in control of the Key Vault objects when they are changed or “near” expire for your application and other services in Azure that use the Key Vault. In this post you will learn how you can now generate events that can be consumed to subscribers!

by | Nov 5, 2019 | Automation, Serverless

Introduction

I often do projects for customers who are starting with Azure or who have already been started and put there “encryption “Keys Certificates and Secrets in the Azure Key Vault. The IT operations departments application owners and security want proactive management in Azure and require to be alerted when object in the Key Vault are changed or near expire. Finally to be compliant and in control. 

Azure Key Vault Notification feature is currently in Public Preview and available in all public regions. Key Vault can now generate events that can be consumed to subscribers with WebHooks, Azure Event Hubs, Azure Functions, and Logic Apps as endpoints.

With this capability, changes to keys, secrets, certificates can automatically be captured and used for automated rotation of near to expire secrets and distribution of newly created secrets.

In addition, even more this feature can be used for alerting with a Logic App Event Grid handler. A status change is defined as a secret that is about to expire (within 30 days of expiration), a secret that has expired, or a secret that has a new version available. Notifications for all 3 secret types (key, certificate, and secret) are supported.

This feature allows users to ‘listen’ for status updates to their key vault by leveraging Event Grid instead of having to continuously poll the Azure Key Vault to find out if a status change has occurred.

This feature also allows users to respond to status changes in their Key Vaults programmatically using Azure Automation or with Logic Apps integration.

 

Event Grid

Event Grid allows you to select an Azure Resource, such as a Key Vault, to subscribe to and monitor for pre-defined “events”. When an event triggers, the result is sent to an endpoint.

An endpoint is a URL that is set up to receive an HTTP POST request from Event Grid. In this example we will use a web hook from Azure Automation that will trigger a runbook to execute when it receives the POST request.

A runbook is an Azure Automation logic application. It is a process automation tool which will allow you to execute a script based on a trigger. In this example, the trigger will be a webhook, and we will execute a PowerShell script.

Prerequisites

This feature is currently in preview. You need to request access before proceeding with the steps listed in this document.

Visit aka.ms/keyvaultnotifications and submit your Azure subscription id to the intake form and wait for confirmation that your subscriptions have been whitelisted to use this feature before proceeding.

Within the Azure Key Vault Events subscription will be created the events types form KeyVault will route events to Azure Automation. When one of the objects in the Key Vault is about to expire or will be changed by a new version the  Event Grid subscruption is notified of the status change and makes an HTTP POST to the endpoint. A Azure webhook inside the runbook is created and will then triggers an Azure Automation runbook. The execution of a PowerShell script will start. The output can be used.

The HTTP POST can also be used within an Azure Logic App when an Event Grid bases resource event occurs “trigger an action in the Logic App can be created to send or post the message in a ticked system or Microsoft Teams or Slack or Mail and automate your process. See at the right a high over design concept.

Step1: Create an Azure Automation Account 

  1. Go to portal.azure.com and log in to your subscription
  2. In the search box, type in ‘Automation Accounts’
  3. Under the “Services” Section of the drop-down from the search bar, select Automation Accounts.
  4. Click Add
  5. Fill the required information in the “Add Automation Account” Blade and select Create
  6. Wait for your automation account to be created.
  • Select the automation account you created in step 1.
  • Select “Runbooks” under the Process Automation section
  • Click the “Create a runbook”
  • Name your runbook and select “PowerShell” as the runbook type
  • Click on the runbook you created, and select the “Edit” Button
  • Enter the following code on the right (for testing purposes) and click the “Publish” button. This will output the result of the POST request received.

param

(

   [Parameter (Mandatory = $false)]

   [object] $WebhookData

)

# If runbook was called from Webhook, WebhookData will not be null.

if ($WebhookData) {

#Write-Output “WebhookData <$WebhookData>”

$WebhookDataRequestBody = $WebhookData.RequestBody

Write-Output $WebhookDataRequestBody

}

else

{

   # Error

   write-Error “No input data found.”

}

Step 2: Create a Runbook and Webhook

To start, the difference between a API and an Webhook a Webhook is one-way communication. Create a new Webhook by enter a name and set it to enabled. The Webhook will expire in a year by default and can be changed. Copy and save the Webhook URL before finishing or you need to create the URL again because you are not able to view the URL after click Apply.

7. Select “Webhooks” from the resources section of the runbook you just published

8. Click “Add Webhook”

 

9. Select – Create new Webhook

10. Name the webhook, set an expiration date, and copy the URL

Please note that you cannot view the URL after you create it. Make sure you copy to clipboard and save it in a secure location where you can access it for the remainder of this setup configuration.

11. Select Ok, and Click Create

You may need to click into the “parameters and run settings” option and select ok before the Create button will be enabled. You don’t need to enter any parameters.

 

Step 3: Create an Azure Event Grid Subscription

 The Preview feature for notification onboarding within the Azure Key Vault service is available through an specific URL see below in step 1. When we do an integration with Logic Apps the Logic APP will also use this feature and create a Event Subscription. 

1. Open the Azure Portal using the following link:

https://ms.portal.azure.com/?Microsoft_Azure_KeyVault_ShowEvents=true&Microsoft_Azure_EventGrid_publisherPreview=true

 2. Go to your Key Vault and select the “Events” tab

If you cannot see the Events tab, make sure that you are using the preview version of the portal – see the link above.

 

Without Preview Feature Event Tab

With Preview Feature Event Tab. Multiple Event Subscription possible

Step 4: Testing and Validation

As a result this test assumes that you have subscribed to the new-version notification for keys in the previous steps. This test also assumes that you have the necessary privileges to create a new version of a key in a key vault.

The screenshot at the right shows the metrics to the WebHook and Logic App Endpoint what we walk through in the next steps. 

 

  1. Go to the Key Vault on the Azure Portal
  2. Create a new key for testing purposes name the key and keep the remaining parameters in their default settings.
  3. Select the key that you have created and create a new version of the key.
  4. Now navigate to the events tab in your key vault.
  5. Click on the event grid subscription you created.
  6. Under metrics, see if an event was captured.
    • This validates that event grid successfully captured the status change of the key in your key vault.
  7. Now go back to the Runbook, and select the “Overview” Tab.
  8. Look at the Recent Jobs list and you should see that a job was created, and that the status is complete. In the Output you can see the results and specific information.
    • This validates that the webhook triggered the runbook to start executing its script.

 

Tip

Events are not fired for manually created new version of certificates (only auto rotated)

Events are not fired for existing versions of certificates, keys, secrets which were created before new notification feature was enabled.

Configurable number of days for the  “About to Expire” event is not yet available

Logic App integration – E-Mail and Teams

With all the above capabilities, changes to keys, secrets, certificates can automatically be captured and used for automated rotation of “near” expire secrets and distribution of newly created secrets/certificates.

In addition, this feature can be used for alerting with a Logic App Event Grid handler with example and will also be added to the Event Subscribtion what we see earlier for WebHooks. Below an example how you can manage proactive your Azure Key Vault objects. I will use E-Mail and teams. First create an Logic app with a step Event Grid:

 

  1. Create a Logic App in the Azure Portal and navigate to the Logic App Designer
  2. See below video some of the possibilities 

Logic App Designer with a parallel branch to E-Mail and Teams.  For e-mail I used the Office 365 Outlook connector and the Send an Email action to trigger an email notification to for examle the owner of the KeyVault / Services Department.

Also now that we have defined in the first step the Event Gird action, let’s get into the last phases of designing the Logic App – adding the Microsoft Teams and E-mail connector. Click Add an action, enter Microsoft Teams of Send an Email in Search all connectors and triggers box. Select the Microsoft Teams/E-Mail connector and then we will Post the Message on Microsoft Teams of Send E-mail. Please note that the Microsoft Teams actions are in Preview V3 at the time of writing this article.

 

  1. Format the actions based on you own requirements and text format in the message
  2. Add dynamic content from the Event from the KeyVault that is available.
  3. Ignore fields and dynamic content you don’t understand or you will nut use / unrelevant. This example will help you to see the all features, in the futures Microsoft can add new possibilities.

Depending on the KeyVault events, the trigger will perform the actions and trigger the notification to Microsoft Teams and Office 365 Outlook email. The screenshots of the results are shown below. 

You can see that there are a lot of possibilities with Azure Logic Apps that can help to automate a lot of redundant actions in critical environments and application and create automated flows the help the business with continuity. 

Conclusion

As a result, notification in Azure Key Vault can send you events and get insights in events. Therefore if you are using custom scripts or other tools to look for status changes of secrets and near expire Certificates that are located in the Azure Key Vaults, you can now easly migrate them to use the new notification feature. Using a combinaton of the new feature with automation and logic apps you can achieve a automated process. 

Even more of a Operations department with continuous digital innovation, the best way is to take care that a incident will not happen than to have to resolve a incident afterward be proactive not reactive for all critical businesses services that are using the Key Vault objects!