The External Secrets Inc. Audit & Compliance product suite is a premium product. It requires a specific subscription. Contact us for more information.

Azure Key Vault Provider

The Audit Listener can be configured to receive audit logs from Azure Key Vault by utilizing Event Hub as an event source and Storage Account for checkpointing consumed events. The illustration below demonstrates the setup: Architecture Light Architecture Dark

Required Permissions

To set up the Listener, assign the following roles to the Audit Listener’s service principal or managed identity:
  • Reader role on the Key Vault resource.
  • Storage Blob Data Contributor role on the Storage Account used for checkpoints.
  • Azure Event Hubs Data Receiver role on the designated Event Hub.
The Key Vault access roles are necessary for the listener to accurately track and audit access to secrets.

Configuring the Provider

Setting up the provider may require configuration of authentication methods during the listener installation process.

Supported Authentication Methods

The Audit Listener supports the following Azure authentication methods:
  • [Recommended] Leveraging Managed Identity (System Assigned or User Assigned).
  • Using a Service Principal with Client Credentials.
  • [Not recommended] Using Connection strings.

Creating a new Provider

After completing the listener setup, you can create a new provider.
  1. Navigate to the Dashboard.
  2. Add a new provider:
  • Select Key Vault as the provider type.
  • Specify the fields based on your installation:
  • EventHubNamespaceHost: The Event Hub namespace host.
  • EventHubName: Name of the Event Hub instance.
  • StorageAccount: Storage account used for checkpointing.
  • StorageContainerName: Container inside the Storage Account for event logs.

Setting Up Azure

The final step is to configure Azure resources:
  • Create a Key Vault to store secrets.
  • Create an Event Hub to receive Key Vault logs.
  • Create an Storage Account to store the checkpoint of consumed events.
  • Enable Diagnostic Logs on Key Vault to send logs to Event Hub.
  • Assign required permissions to allow event ingestion.

Creating a Key Vault, Event Hub and Storage Account

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.0.0"
    }
  }
}

# Configure the Microsoft Azure Provider
provider "azurerm" {
  resource_provider_registrations = "none" # This is only required when the User, Service Principal, or Identity running Terraform lacks the permissions to register Azure Resource Providers.
  features {}
}

data "azurerm_client_config" "current" {}

# Create a resource group
resource "azurerm_resource_group" "rg" {
  name     = "your-resource_group"
  location = "your-location"
}

resource "azurerm_key_vault" "keyvault" {
  name                = "your-keyvault"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"
}

resource "azurerm_eventhub_namespace" "namespace" {
  name                = "your-eventhub_ns"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  sku                 = "Standard"
}

resource "azurerm_eventhub" "eventhub" {
  name                = "your-eventhub"
  namespace_name      = azurerm_eventhub_namespace.namespace.name
  partition_count     = 2
  message_retention   = 7
}

resource "azurerm_storage_account" "storage" {
  name                            = "your-storage_account"
  resource_group_name             = azurerm_resource_group.rg.name
  location                        = azurerm_resource_group.rg.location
  account_tier                    = "Standard"
  account_replication_type        = "RAGRS"
  account_kind                    = "BlobStorage"
  allow_nested_items_to_be_public = false
}

resource "azurerm_storage_container" "container" {
  name                  = "your-container"
  storage_account_name  = azurerm_storage_account.storage.name
}

Enabling Audit Logging for Azure Key Vault

resource "azurerm_monitor_diagnostic_setting" "keyvault_logs" {
  name               = "your-diagnostic-settings"
  target_resource_id = azurerm_key_vault.keyvault.id
  storage_account_id = azurerm_storage_account.storage.id

  enabled_log {
    category = "AuditEvent"
  }

  metric {
    category = "AllMetrics"
  }
}

Assigning Permissions

resource "azuread_application" "example" {
  display_name = "example"
  owners       = [data.azuread_client_config.current.object_id]
}

resource "azuread_service_principal" "sp" {
  client_id                    = azuread_application.example.client_id
  owners                       = [data.azuread_client_config.current.object_id]
}

resource "azurerm_role_assignment" "kv_secrets_user" {
  principal_id   = azuread_service_principal.sp.object_id
  role_definition_name = "Key Vault Secrets User"
  scope          = azurerm_key_vault.keyvault.id
}

resource "azurerm_role_assignment" "storage_blob_contributor" {
  principal_id   = azuread_service_principal.sp.object_id
  role_definition_name = "Storage Blob Data Contributor"
  scope          = azurerm_storage_account.storage.id
}

resource "azurerm_role_assignment" "eventhub_receiver" {
  principal_id   = azuread_service_principal.sp.object_id
  role_definition_name = "Azure Event Hubs Data Receiver"
  scope          = azurerm_eventhub_namespace.namespace.id
}

Key Vault Audit Events (via Event Hub Format)

Secret Set Event

{
    "records": [
        {
            "time": "2025-03-11T18:44:31Z",
            "category": "AuditEvent",
            "operationName": "SecretSet",
            "resultType": "Success",
            "correlationId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            "callerIpAddress": "192.0.2.1",
            "identity": {
                "claim": {
                    "oid": "00000000-0000-0000-0000-000000000000",
                    "appid": "11111111-1111-1111-1111-111111111111",
                    "scp": "user_impersonation",
                    "appidacr": "0",
                    "xms_az_nwperimid": [],
                    "upn": "user@example.com",
                    "idtyp": "user",
                    "ipaddr": "192.0.2.1",
                    "unique_name": "user@example.com",
                    "amr": "pwd"
                }
            },
            "properties": {
                "id": "https://vault-name.vault.azure.net/secrets/secret-name-2",
                "clientInfo": "SampleUserAgent/1.0",
                "httpStatusCode": 200,
                "requestUri": "https://vault-name.vault.azure.net/secrets/secret-name-2?api-version=7.4",
                "isRbacAuthorized": true,
                "appliedAssignmentId": "role-assignment-id",
                "secretProperties": {
                    "attributes": {
                        "enabled": true
                    }
                },
                "tlsVersion": "TLS1_3"
            },
            "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/example-rg/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/vault-name",
            "operationVersion": "7.4",
            "resultSignature": "OK",
            "durationMs": "342"
        }
    ]
}

Secret Get Event

{
    "records": [
        {
            "time": "2025-03-11T18:44:49Z",
            "category": "AuditEvent",
            "operationName": "SecretGet",
            "resultType": "Success",
            "correlationId": "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz",
            "callerIpAddress": "192.0.2.1",
            "identity": {
                "claim": {
                    "oid": "00000000-0000-0000-0000-000000000000",
                    "appid": "11111111-1111-1111-1111-111111111111",
                    "scp": "user_impersonation",
                    "appidacr": "0",
                    "xms_az_nwperimid": [],
                    "upn": "user@example.com",
                    "idtyp": "user",
                    "ipaddr": "192.0.2.1",
                    "unique_name": "user@example.com",
                    "amr": "pwd"
                }
            },
            "properties": {
                "id": "https://vault-name.vault.azure.net/secrets/secret-name-1/version-id",
                "clientInfo": "SampleUserAgent/1.0",
                "httpStatusCode": 200,
                "requestUri": "https://vault-name.vault.azure.net/secrets/secret-name-1/version-id?api-version=7.6-preview.1",
                "isRbacAuthorized": true,
                "appliedAssignmentId": "role-assignment-id",
                "tlsVersion": "TLS1_3"
            },
            "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/example-rg/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/vault-name",
            "operationVersion": "7.6-preview.1",
            "resultSignature": "OK",
            "durationMs": "147"
        }
    ]
}

Secret Delete Event


{
  "records": [
      {
          "time": "2025-03-11T18:45:03Z",
          "category": "AuditEvent",
          "operationName": "SecretDelete",
          "resultType": "Success",
          "correlationId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
          "callerIpAddress": "192.0.2.1",
          "identity": {
              "claim": {
                  "oid": "00000000-0000-0000-0000-000000000000",
                  "appid": "11111111-1111-1111-1111-111111111111",
                  "scp": "user_impersonation",
                  "appidacr": "0",
                  "xms_az_nwperimid": [],
                  "upn": "user@example.com",
                  "idtyp": "user",
                  "ipaddr": "192.0.2.1",
                  "unique_name": "user@example.com",
                  "amr": "pwd"
              }
          },
          "properties": {
              "id": "https://vault-name.vault.azure.net/secrets/secret-name-1",
              "clientInfo": "SampleUserAgent/1.0",
              "httpStatusCode": 200,
              "requestUri": "https://vault-name.vault.azure.net/secrets/secret-name-1?api-version=7.6-preview.1",
              "isRbacAuthorized": true,
              "appliedAssignmentId": "role-assignment-id",
              "tlsVersion": "TLS1_3"
          },
          "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/example-rg/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/vault-name",
          "operationVersion": "7.6-preview.1",
          "resultSignature": "OK",
          "durationMs": "78"
      }
  ]
}