0

My Azure Keys Vaults Secrets contains my connection string. My app only connects to my Azure Vault during the app Startup.cs and then saves the connection string in a static class for use elsewhere. I noticed a few days ago that Key Vaults Metrics was showing 2.45k hits during a 6 minute interval. Here is the Starup.cs code:

   public class Startup
    {
      var SecretUri = config["SecretUri"];
      var TenantId = config["TenantId"];
      var ClientSecret = config["ClientSecret"];
      var ClientId = config["ClientId"];

      var secretclient = new SecretClient(new Uri(SecretUri), new ClientSecretCredential(TenantId, ClientId, ClientSecret));
 
      KeyVaultSecret keyv = secretclient.GetSecret("{myconnection_secretname}");
      
      SecretServices.ConnectionString = keyv.Value;
    }

From this point I use the SecretServices.ConnectionString anywhere else in the app where I need the connection string. My question is there any way my app can hit the vault 2000 times in a few minutes or is something else happening?

Here is the graph from Azure Vaults Metrics Total API Hits: Azure Metrics Graph

This graph shows the sudden jump in the number of hits to the API Service.

Anna Gevel
  • 1,103
  • 1
  • 11
  • 20
KenNipper
  • 11
  • 3
  • If I am not wrong, at startup the client will download each individual secret from AKV, each one in an individual request. Do you have a lot of secrets in AKV? – Tore Nestenius Feb 11 '23 at 09:25

1 Answers1

0

It's possible that your app is hitting the Key Vault 2000 times in a few minutes. To get confirmation on this, you can have logging to your code to see how often the SecretServices.ConnectionString is being accessed.

Thanks @ Tore Nestenius for the comment.

If the Key Vault Metrics show 2.45k hits, you may want to investigate other areas of your system to see if other components are accessing the Key Vault. For example, it's possible that some background jobs or scheduled tasks are hitting the Key Vault repeatedly.

You might also want to consider reducing the frequency with which your app accesses the Key Vault by caching the connection string in memory after retrieving it on startup. That way, your app would only need to retrieve the connection string from the Key Vault once, which would reduce the number of hits to the Key Vault.

If you are having too many connections, then you can use a memory cache and set the caching to a certain time.

Memory Cache:

 MemoryCache memoryCache = MemoryCache.Default;
    string mCachekey = VaultUrl + "_" +key;
    if (!memoryCache.Contains(mCachekey))
    {
      try
      {
         using (var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessTokenAsync),
         new HttpClient()))
          {
               memoryCache.Add(mCachekey, await client.GetSecretAsync(VaultUrl, key), new CacheItemPolicy() { SlidingExpiration = TimeSpan.FromHours(1) });
          }
      }
      catch (Exception ex)
      {
          throw new ApplicationException($"some exception {key}", ex);
      }
      return memoryCache[mCachekey] as string;
    }

For more information, please see the below MS Docs.

Azure Key Vault service limits

Azure Key Vault throttling

Rajesh Mopati
  • 1,329
  • 1
  • 2
  • 7