Clarification on Azure Container Apps and Key Vault transactions

Question

I’m working with Azure Container Apps and Azure Key Vault, and I’m trying to better understand how Key Vault transactions are counted and billed. I know that Key Vault charges per 10,000 transactions, but I’m unclear on what exactly counts as a transaction in practice.

Specifically:

When a container app restarts (or “bounces”), does it fetch secrets/keys from Key Vault only once during startup, or does it re-fetch them as needed throughout runtime?

If the app is configured to use Key Vault references, do those count as a transaction every time the secret is accessed, or only when the container is initialized?

Are there best practices to minimize unnecessary transactions when using Key Vault with containerized workloads?

Any insights or examples from your experience would be really helpful.

Thanks in advance!

Answer 1

Hello parveen

For Azure Container Apps that use Key Vault references, Key Vault transactions are incurred only when the platform resolves the secret such as during container startup, revision deployment, or secret synchronization. Each secret retrieved through this resolution process is counted as a transaction. After the secret is injected into the container as an environment variable or mounted file, any subsequent access occurs locally within the container and does not generate additional Key Vault transactions.

In contrast, if the application directly retrieves secrets from Key Vault via SDK or REST API, each individual call is treated as a separate transaction.

To optimize cost and performance, it is recommended to use Key Vault references instead of frequent per-request API calls, cache retrieved secrets in memory, and avoid using Key Vault as a high-frequency configuration store.

If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.