Create a simple alert solution for a shared access signature (SAS) token in an Azure storage account. This solution uses a Key Vault to manage the Alert as the Storage Account does not offer an option to alert for SAS expiration due to the design of the product. We will then use several Events that are available in Key Vault to send an email alert to a user or distribution group.
- An example of a SAS Token for accessing a Storage Account:
- sv=2022-11-02&ss=bf&srt=sco&sp=rwdlaciyx&se=2024-03-01T02:00:00Z&st=2024-02-09T18:44:32Z&spr=https&sig=3bRdnoOoCcZVXZ6X2a8IUaKrDFJnSDrkJQcRZuvbFto%3D
We will assume you already have the SAS token and know the expiration date of the token. We will show you how to create the Key Vault and then setup the Action Group for alerting. We will also add the SAS token as a Secret within the vault. Then we will setup monitoring of certain Events related to expiration date for the Secret you created.
This involves using Secrets store and the following Events that are avaible in the Key Vault:
- Microsoft.KeyVault.SecretNearExpiry
- Microsoft.KeyVault.SecretExpired
Note
SecretNearExpiry is triggered when the current version of a secret is about to expire. (The event is triggered 30 days before the expiration date.) SecretExpired is triggered when the current version of a secret is expired.
Reference: Azure Key Vault as Event Grid source
Table of Contents
Create the Azure Key Vault
Create an Action Group in Azure Monitor
Create Event Subscription for Secret Near Expiry Event
Create Event Subscription for Secret Expired
Create the Secret in the Key Vault
Email Examples for Secret Expiry and Secret Expired
I would recommend creating a new Key Vault for managing these Alerts. The cost is minimal and can be kept in a central management subscription that other applications or workloads could use.
First, search for "Key Vault" in the Azure Portal and then open the Key Vault interface.
Choose + Create
Fill in the Basic information about the vault. I am keeping the default settings for Days to retain deleted vaults and Purge protection as well as the Standard Pricing tier. Choose Next
For Access Configuration, use the default settings. You do not need to check any of the boxes for Resource access. Choose Next
For Networking, adjust settings based on the security requirements of your organization. As an example, most of the customers I work with require private endpoints for any Azure resource. Becasue we are using the Key Vault as a self contained repository, access to it other than from the Azure portal is not required. If you wanted to scale this solution or automate the entry of the Secret into the Key Vault then you would need to consider how the Key Vault is accessed.
Review all of the configuration settings and then click Create
The Key Vault should be created and deployed and you should be able to access it. Keep in mind that in order to enter a Secret into the vault you will need to have the proper permissions. Owner of the Key Vault is not sufficient to create or manage secrets. One of the following roles will be needed to create or manage Secrets directly:
- Key Vault Administrator
- Key Vault Secrets Officer
You or your organization may already have Action Groups setup in Azure Monitor. If not, we will create one now to send the email alert to when the Events fire.
First, search for "Azure Monitor" in the Azure Portal and then open the Azure Monitor interface. In the Azure Monitor interface choose Alerts in the left navigation menu. Then choose Action Groups in the upper menu.
In the Action Group menu, choose + Create
In the Create action group form, fill in the basic information. Region should be kept as Global. Keep in mind that the Display Name has a 12 character limit.
Choose Next
For Notifications, choose Email/SMS message/Push/Voice. Give it a name like "Notify me by email."
Click the Edit button
For this example I am going to send an email to myself. You can choose any type of notification that makes sense for you and your organization. Once you have chosen the notification type and settings, choose "Yes" for Enable the common alert schema.
Click OK
Review all of the configuration settings and then click Create
We are going to create 2 different event subscriptions. The first will be for when the event SecretExpiryNear is fired and the second for when the event SecretExpired is fired. When these events fire an email will be sent to a user or distribution group. In the case of this example I will be sending an email to myself.
Go to the Key Vault created earlier and click on the Events in the left navigation menu.
Choose + Event Subscription
Enter a name for the Event Subscription. Choose the Event Schema. Create or choose a System Topic Name.
- Event Subscription: "SAS-Token-Expiring" (You can choose whatever name you like here. Be aware this will be part of the email sent for the alert so consider that when naming)
- Event Schema: Cloud Event Schema v1.0
- System Topic: "sas-topic-kv" (This can be anything you want. Just create a topic that makes sense here or follows your organization guidelines.)
By default all 9 Event Types will be selected
For this Event we will choose Secret Near Expiry only.
For the Enpoint Type we will choose Azure Monitor Alert
We then need to configure the endpoint. Click on the Configure an enpoint link.
In the Select Monitor Alert Configuration form that opens, for Alert Severity, choose Sev 1 (Error)(You can choose what you want here, but this made the most sense for me when creating this alert).
Check the box for Select action groups. Then choose the Action Group you created earlier or choose one that already exsists that you want to send the alert to.
Create an Alert description. Consider that this description will be in the email sent when the alert fires. If you are using email rules or some other type of automation you may want to key off of this description.
Here is what I used:
- A SAS Token will expire in the next 30 days. Please review.
Click Confirm Selection button to finish configuring the endpoint.
We will now come back to the Basics section for the Event and can click the Create button as all the sections should be shown as filled out. We will not use any of the other sections such as Filters, Additional Features, Delivery Properties, or Advanced Editor.
We now have a working Event Subscription
We will now create a second event for when the Secret is Expired. In this case, I am going to only call out the differences needed for this Event Subscription.
Give the Event a name and choose the Schema, and then reuse the System Topic Name from above
- Event Name: SAS-Token-Expired
- Event Schema: Cloud Event Schema v1.0
For the Event Type we will choose Secret Expired
When setting up the Azure Monitor endpoint configuration make the following changes:
- Alert severity: Sev 0 (Critical)
- Check Select action groups: Choose the action group from above or relelvant group for your organization
- Alert description: A SAS Token has EXPIRED! Please ACT NOW!
In the Key Vault, choose Secrets in the left navigation
Click + Generate/Import
In the Create a secret form we will fill out all the basic information related to the SAS Token. What I used is listed below. 2 Items of note, first, you can store the SAS Token in the Secret value field, but this is not required. You can technically put any value you want in this field. Second, when you set the expiration date pay close attendtion to the year. The date box will choose a date 2 years into the future by default. Most SAS Token scenarios will be for 2 years to be sure to choose the correct year for the expiration.
- Upload options: Manual
- Name: SAS-Token-Petetoso-Corp
- Secret value: sv=2022-11-02&ss=bf&srt=sco&sp=rwdlaciyx&se=2024-03-01T02:00:00Z&st=2024-02-09T18:44:32Z&spr=https&sig=3bRdnoOoCcZVXZ6X2a8IUaKrDFJnSDrkJQcRZuvbFto%3D
- Set expiration date: Checked
- Expiration date: 02/28/2024 06:00:00 PM
- Enabled: Yes
Then click Create to save the form
You will then be returned to the main Secret page. Verify that you have inputed the correct expiration date.
These are examples of the emails you will receive when a Secret is near expiry or has expired. Remember that near expiry is within the next 30 days. For testing purposes the emails will not fire off instantly. In my testing it can take as long as 15 minutes to receive an email. You can use certain areas to filter the emails such as wording in the Subject or Body of the message or feed them email into another automation system to then be further utilized.
The Subject contains the term Fired, then Severity, then Azure Monitor Alert, then the Name of the alert (SAS-TOKEN-EXPIRING), then in which Key Vault.
In the upper section of the body of the email is the Alert Name, Severity, name of the Key Vault, Description.
In the lower section of the body of the email, the Event Subject and Event Type are the important components. Event Subject listing the name of the customer this would affect as the customer name was used in the name of the Secret.
In the upper section of the body of the email is the Alert Name, Severity, name of the Key Vault, Description.
In the lower section of the body of the email, the Event Subject and Event Type are the important components. Event Subject listing the name of the customer this would affect as the customer name was used in the name of the Secret.
