Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Event-Driven KeyVault Secrets Rotation Management
func new --name DisableSecretHttpTrigger --template HttpTrigger --language C#
public static class DisableSecretHttpTrigger
public static async Task<IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Function, "POST", Route = "secrets/{name}/disable/{count:int?}")] HttpRequest req,
string name, int? count,
ILogger log)
// Get the KeyVault URI
var uri = Environment.GetEnvironmentVariable("KeyVault__Uri");
// Get the tenant ID where the KeyVault lives
var tenantId = Environment.GetEnvironmentVariable("KeyVault__TenantId");
// Set the tenant ID, in case your account has multiple tenants logged in
var options = new DefaultAzureCredentialOptions()
SharedTokenCacheTenantId = tenantId,
VisualStudioTenantId = tenantId,
VisualStudioCodeTenantId = tenantId,
var client = new SecretClient(new Uri(uri), new DefaultAzureCredential(options));
// Get the all versions of the given secret
// Filter only enabled versions
// Sort by the created date in a reverse order
var versions = await client.GetPropertiesOfSecretVersionsAsync(name)
.WhereAwait(p => new ValueTask<bool>(p.Enabled.GetValueOrDefault() == true))
.OrderByDescendingAwait(p => new ValueTask<DateTimeOffset>(p.CreatedOn.GetValueOrDefault()))
// Do nothing if there is no version enabled
if (!versions.Any())
return new AcceptedResult();
if (!count.HasValue)
count = 2;
// Do nothing if there is only given number of versions enabled
if (versions.Count < count.Value + 1)
return new AcceptedResult();
// Disable all versions except the first (latest) given number of versions
var candidates = versions.Skip(count.Value).ToList();
var results = new List<SecretProperties>();
foreach (var candidate in candidates)
candidate.Enabled = false;
var response = await client.UpdateSecretPropertiesAsync(candidate).ConfigureAwait(false);
var res = new ContentResult()
Content = JsonConvert.SerializeObject(results, Formatting.Indented),
ContentType = "application/json",
StatusCode = (int)HttpStatusCode.OK,
return res;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment