Share via

Azure Key Vault - Limit for secret retrieval

Abhay Bandhu 20 Reputation points
2024-08-22T15:37:09.67+00:00

Hello,

I have a key vault which is populated with 5000 secrets.

I'm working on an initiative which retrieves secrets from the key vault and the way it is retrieving the secrets per batch.
For example, If number of secret is 1000 and the batch size is 100, first a request of 100 secrets is send to AKV to get resolved, then once resolved the next 100 secrets are processed.

As per this documentation https://learn.microsoft.com/en-us/azure/key-vault/general/service-limits, it mentions the following:

  • 4,000 GET transactions per 10 seconds are allowed.
    • Does that mean we can only retrieve 400 secrets per second?
    • Is the limit per Key Vault or per subscription?
  • A subscription-wide limit for all transaction types is five times per key vault limit.
    • If we have a subscription does this implies that the limit is now 20,000 (5 * 4000)?

I also conducted some performance test on 3 Virtual Machine simultaneously trying to retrieve secrets in large number. Even though I sent request way above 4000 i did not find any throttling nor any degradation in performance. I wanted to find what is the limit for secret retrieval. Can you help with this?

Thanks

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,283 questions
0 comments
Accepted answer
  1. Sina Salam 10,491 Reputation points
    2024-08-22T18:42:07.12+00:00

    Hello Abhay Bandhu,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you have many concerns about Azure Key Vault secret limits and its performance.

    Azure Key Vault secret limits.

    You will need to understand that previously it was 2,000 transactions per 10 seconds limits, and with increase now, Azure Key Vault service allows 4,000 secret retrieval transactions per 10 seconds for RSA 2,048-bit software keys. This means that the limit is applied per Key Vault instance, not per subscription and there is no strict character limit for secret values, but they are stored as sequences of octets with a maximum size of 25 KB each. https://github.com/MicrosoftDocs/azure-docs/issues/35832 and https://learn.microsoft.com/en-us/azure/key-vault/general/service-limits

    About the performance.

    If you come across any no throttling or performance degradation in your tests, it could happen because of some reasons such as:

    • The system can accommodate temporary spikes in load.
    • Throttling might not always be immediately show, especially if your request patterns are not consistently high or they spread out the load.
    • The performance optimizations and caching mechanisms can sometimes reduce throttling during high-load tests.

    Finally, it is best practices to use Azure monitoring tools to keep track of request rates, latency, and error rates, because it can help you observe actual performance and throttling behavior. Also, implement exponential backoff and retry logic in your application to handle potential throttling gracefully.

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.