Azure

Live notifications from an Azure Keyvault to your Slack

3 min read

In a world where monitoring is key for sensitive information, or even for alerts that can put your system down (such as an expired certificate), it is necessary sometimes to be alerted “right away”. Azure Alerts are great, but they have a delay, as the data needs to get ingested into your analytics and then need to run with the alert frequency you have set for you to be aware that something is going on.

In this post I will show a way where you can be alerted somewhat instantly. We will consume 2 types of event data from a keyvault, that is the diagnostics AuditEvent and the events that Azure provides us out of the box. Once consumed, we will send a message in a Slack channel about any changes that we want to monitor.

* Note that as of the time of this writing the keyvault events that are to be consumed in an Event Grid are in public preview.

For this post, the basic assumes you have an Event Hub, and a Keyvault already created.

Setup

Consuming the diagnostic AuditEvent

In order to consume the diagnostic AuditEvent, navigate to the diagnostics settings blade. Click on + Add diagnostic setting. Select AuditEvent, and check Stream to an event hub. Select the hub namespace and the hub name. Press Save.

Keyvault AuditEvent setup

Note: for the sake of this post, I am using the root key which can manage, send and listen to all the event hub namespaces. In your case you may want to create another policy, even as granular as a policy within the event hub instance, to allow write. The subscriber (in our case the Azure Function) may have a policy to only listen within the event hub instance. Create the appropriate policy that meet your business needs. See the documentation for more information on that topic.

Consuming the events

To consume the events, go to the events blade and click + Event Subscription. Fill out the information. For the Event Schema, select Event Grid Schema. Select the events you want to monitor. Then pick your Event Hub as the handler to send the events to.

Keyvault event setup

Tying everything together

To be able to see our events, lets create an Azure Function that will be triggered every time an event will be pushed onto the hub instance.

The Azure Function will listen on our Event Hub Instance, monitoring, using a trigger. Make sure to install the package from NuGet.

You will need to add an App Setting with the name EventHubConnectionAppSetting in your function. You can get the connection string in the Event Hub resource, under the Shared access policies and clicking on your policy.

Event hub connection string

Handling the AuditEvent

The payload for the event can be found here, but here’s an example of payload that is received:

Handling the other Events

The payload is the payload of an event grid schema can be found here. The data object payload of the keyvault can be found here. Here’s an example:

You will need to transform those payloads into POCO objects and then work with them. You can see an example in my sample project.

Test

To ease out the demo process, I did not configure both style of events to be sent to my hub at the same time.

So here, I’m creating a secret through the Portal UI. Once the secret is created, after a few seconds, you will receive an event payload. That event payload is transformed and then pushed to Slack.

As you can see, it’s sending the Microsoft.KeyVault.SecretNewVersionCreated

Event payload

Here’s the final output in Slack.

Slack event output

Now for the AuditEvent, I go and get the secret I just created. As you will see it will send a lot of events from VaultGet to SecretList, etc.

AuditEvent payload

Here’s the final output in Slack.

Slack AuditEvent output

Something to note here, that you may have realized when you’re testing, is that when you create a secret using the portal, the portal will send requests to your keyvault to determine if the name already exists using a technique called debouncing on the UI side: it will delay the sending of the name until you have stopped typing for a predetermined amount of time. This is why you may receive a lot of events for SecretGet in your function with partial secret names.

Conclusion

As you can see, you can easily output an event payload of a keyvault into Slack for quick notifications.

All my code for this post is available, as mentioned above, in my GitHub repository.