Automatically Invalidate Azure Key Vault Secrets
The Arcus.BackgroundJobs.KeyVault library provides a background job to automatically invalidate cached Azure Key Vault secrets from an ICachedSecretProvider instance of your choice.
How does it work?
This automation works by subscribing on the SecretNewVersionCreated event of an Azure Key Vault resource and placing those events on a Azure Service Bus Topic; which we process in our background job.
To make this automation operational, following Azure Resources has to be used:
- Azure Key Vault instance
- Azure Service Bus Topic
- Azure Event Grid subscription for
SecretNewVersionCreatedevents that are sent to the Azure Service Bus Topic
Usage
Our background job has to be configured in ConfigureServices method:
using Arcus.Security.Core;
using Arcus.Security.Core.Caching;
using Microsoft.Extensions.DependencyInjection;
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
// An 'ISecretProvider' implementation (see: https://security.arcus-azure.net/) to access the Azure Service Bus Topic resource;
// this will get the 'serviceBusTopicConnectionStringSecretKey' string (configured below) and has to retrieve the connection string for the topic.
services.AddSingleton<ISecretProvider>(serviceProvider => ...);
// An `ICachedSecretProvider` implementation which secret keys will automatically be invalidated.
services.AddSingleton<ICachedSecretProvider>(serviceProvider => new CachedSecretProvider(mySecretProvider));
services.AddAutoInvalidateKeyVaultSecretBackgroundJob(
// Prefix of the Azure Service Bus Topic subscription;
// this allows the background jobs to support applications that are running multiple instances, processing the same type of events, without conflicting subscription names.
subscriptionNamePrefix: "MyPrefix"
// Connection string secret key to a Azure Service Bus Topic.
serviceBusTopicConnectionStringSecretKey: "MySecretKeyToServiceBusTopicConnectionString");
}
}