Azure Keyvault expired secret working after expiration date

Jigarkumar Patel 21

Hi All,

I have stored a secret in key vault with expiration date. The secret is a connection string to connect to on-prem oracle database

This secret is used in linkedservice to connect to on-prem Oracle datasbase.

Now when I am running the adf pipeline to access the database via this linkedservice it is working.

My expectation was since the secret is expired, the pipeline should have failed.

Is my understanding incorrect ?

1 answer

Sandeep G-MSFT 19,761 Reputation points Microsoft Employee

2024-08-07T16:15:28.8433333+00:00

@Jigarkumar Patel

Thank you for posting this in Microsoft Q&A.

As I understand in your environment you have a key vault secret that is used in linked service to connect to on-prem Oracle database. Now, you have the key vault secret expired and still the entire configuration is working even with the expired secret.

By default, secrets do not expire. We recommend you rotate secrets in the key vault and set an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.

There are 2 different things that get set,

The expiration date is the date and time when the key will no longer be valid. This is set when you create the key.

The expiry time is the time interval after which the key will be rotated. This is set when you configure the key rotation policy.

The key rotation policy is used to automatically rotate the key after a specified time interval. The key rotation policy is used to ensure that the key is rotated regularly, which helps to maintain the security of the key.

If both the expiration date and the expiry time are configured, the key will be rotated after the expiry time has elapsed. If the key is rotated, the new key will have the expiration date set when the key was created.

I think in your environment here is a auto rotation of secret has been configured due to which your configuration is still working even after key vault secret is expired.

Let us know if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Jigarkumar Patel 21 Reputation points

2024-08-08T08:35:24.39+00:00

Hi @Sandeep G-MSFT ,

There is no auto rotation set for this. Also this secret is added manually. So the key rotation policy does not come in picture

Sandeep G-MSFT 19,761 Reputation points Microsoft Employee

2024-08-08T08:57:08.76+00:00

@Jigarkumar Patel

When you store a secret in Azure Key Vault with an expiration date, it means that the secret will no longer be valid after the expiration date. However, this does not mean that the linked service or pipeline that uses this secret will automatically fail after the expiration date.

The expiration date is only used to prevent new requests for the secret from being fulfilled after the expiration date. Any existing requests that were made before the expiration date will continue to use the secret until they are completed or until the secret is explicitly revoked.

In your case, since the pipeline was already running before the expiration date of the secret, it was able to successfully use the secret to connect to the on-prem Oracle database. However, if you were to create a new pipeline or update the existing pipeline after the expiration date of the secret, it would not be able to use the expired secret and would fail.

To ensure that your pipeline fails when the secret expires, you can add a validation step in your pipeline that checks the expiration date of the secret before using it. If the secret has expired, the validation step can fail the pipeline and prevent it from running.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Sandeep G-MSFT 19,761 Reputation points Microsoft Employee

2024-08-09T04:34:59.89+00:00

@Jigarkumar Patel

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

Jigarkumar Patel 21 Reputation points

2024-08-09T08:36:26.24+00:00

HI @Sandeep G-MSFT ,
I also created a new linkedservice and new pipeline. This new pipeline is also successfully. you mentioned *"However, if you were to create a new pipeline or update the existing pipeline after the expiration date of the secret, it would not be able to use the expired secret and would fail."
*
Also I don't want fail the pipeline, I am curious to know what does the expiration date on the secret means and how it impacts my ADF pipeline. I was expecting the ADF pipeline will fails after the secret has expired, but that is not happening.

So I am trying to understand why the pipeline is not failing

Jigarkumar Patel 21 Reputation points

2024-08-13T14:46:10.7133333+00:00

@Sandeep G-MSFT Any update ?

Sandeep G-MSFT 19,761 Reputation points Microsoft Employee

2024-08-14T04:36:09.1533333+00:00

@Jigarkumar Patel

I am currently working with our PG team on this issue. I will respond on this thread ASAP

Jigarkumar Patel 21 Reputation points

2024-08-26T07:46:18.69+00:00

@Sandeep G-MSFT do you have any update now ?

Sandeep G-MSFT 19,761 Reputation points Microsoft Employee

2024-09-01T04:27:20.23+00:00

@Jigarkumar Patel

I have got information regarding this from our PM team.

That's not how expiry feature works. Your key is still valid as it seems. The expired feature in key vault is for notification purpose and not for on/off scenarios.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure Keyvault expired secret working after expiration date

1 answer

Your answer