Monitor Expiration Events From Azure Key Vault | Datadog

Monitor expiration events from Azure Key Vault

Author Nicholas Thomson
Author Rahul Kaukuntla

Published: November 14, 2023

For customers using Azure Key Vault—which helps them safeguard sensitive keys and secrets used by applications and services hosted on Azure—it can be challenging to determine when the resources in their Key Vault(s) are about to expire. Invalid keys and secrets can disrupt your day-to-day workflows by causing application downtime, holding up incident investigations, invalidating compliance, slowing down the development of new features, and more.

Datadog Azure Key Vault Integration now generates out-of-the-box expiration events, which alert you when credentials or secrets stored in the Key Vault (e.g., SSH keys, API keys, database passwords, etc.) are about to expire. These alerts give you advance notice so you can renew soon-expiring keys before they are no longer usable, saving you time and money by preventing expired, unmonitored resources from disrupting your application.

In this post, we’ll show you how to use this feature to monitor your Azure key expirations and missing permissions events so you can proactively refresh credentials and avoid unnecessary downtime.

Monitor expiration events

Once you’ve set up the Azure integration, Azure Key Vault expiration events will start streaming into Datadog. The credential expiration feature will generate events whenever a credential’s expiration date approaches the following thresholds: 60 days, 30 days, 15 days, and 1 day away from expiration, as well as once after expiration.

Let’s say you’re an engineer at an e-commerce application that is hosted on Azure. You’re testing a new UX feature to increase sales on an underperforming page, where you’ve noticed people abandoning purchases. While testing, you receive an alert that an API key is going to expire in one day.

Create Datadog alerts on Azure Key Vault expiration events

You store all your secrets in Azure Key Vault, including API and application keys, so you navigate to the Datadog Events Explorer to investigate further. When you filter for status:warn and source:azure, you find an event generated by Azure Key Vault about an API key that will expire in one day.

View expiration events in the Datadog Events Explorer

With this knowledge in hand, you can regenerate a new API key in the Azure Key Vault, which will prevent you from being locked out of any environments that require your API key for access (e.g., the testing environment). Now, you can once again work toward rolling out your new feature.

It should be noted that if a certificate and its associated key or secret expire at the exact same time, Datadog will record this as a single credential expiration event. The event will contain information about all of the impacted resources (certificate, key, etc.), so you can refresh each of these credentials as needed.

Additionally, the Azure Key Vault integration will generate missing permission events when you have not granted Datadog permission to access an Azure Key Vault. Every 10 days, an event notification listing out the Key Vaults for which Datadog has not been given permissions is sent out. If no changes have been made regarding relaying Key Vault permissions to Datadog in the previous 10-day cycle, the event notification won’t be sent to avoid over-alerting.

Stay ahead of outdated credentials with Azure Key Vault expiration events

The Azure Key Vault credential expiration feature ensures that all users have active credentials so that they can access the critical Azure resources they need to carry out their work without disruption. By identifying any expiring credentials, expiration events help ensure your team members don’t end up locked out of resources they need to access in order to keep your system up and running, thus helping you avoid outages and other issues.

This new feature complements Azure Key Vault, Azure Active Directory, and Datadog event monitoring by providing a centralized hub where you can monitor Azure key expiration events in the same place that you monitor workflows from across your Azure environment.

To get started, you’ll need to add permissions for the Azure Graph API in order to start monitoring the expiration of Azure App Registrations. This is because Azure App Registrations are stored in Azure Key Vault, but creating them requires Azure Active Directory, which in turn relies on the Azure Graph API. For more information, check out our documentation for Azure Key Vault and Azure Active Directory.

If you’re new to Datadog, sign up for a 14-day .