Forum Discussion
Solved
Azure Key Vault Secret Versions
Hi Team,
As I know, Key Vault does not support deleting specific versions of secrets. I am worry about performance:
Key Vault does not restrict the number of versions on a secret, key or certificate, but storing a large number of versions (500+) can impact the performance of backup operations https://docs.microsoft.com/en-us/azure/key-vault/general/service-limits
I have around 150 secrets in one KeyVault and I am planning to add new version of each secret one a week. It will affect the performance?
The perfect solution for me will be to keep last three versions of one key vault secret, is it possible?
The perfect solution for me will be to keep last three versions of one key vault secret, is it possible?
Thanks
Urszula
- Hello ugryczan
According to the official documention:
"Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object."
So for my understanding the limit of 500 versons is by object ( a key, a secret, ...) but , they also mentioned potential consequences:
"Also consider the following consequences:
Backing up secrets that have multiple versions might cause time-out errors.
A backup creates a point-in-time snapshot. Secrets might renew during a backup, causing a mismatch of encryption keys.
If you exceed key vault service limits for requests per second, your key vault will be throttled, and the backup will fail."
As today, the backup mechanism for a KV is done by object and not for an entire KV, in my point of view, you can be impacted by the number of concurrent backup jobs that will be launched to backup all your objects with their incoming versions.
It's my understanding, maybe not the reality.
1 Reply
- Hello ugryczan
According to the official documention:
"Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object."
So for my understanding the limit of 500 versons is by object ( a key, a secret, ...) but , they also mentioned potential consequences:
"Also consider the following consequences:
Backing up secrets that have multiple versions might cause time-out errors.
A backup creates a point-in-time snapshot. Secrets might renew during a backup, causing a mismatch of encryption keys.
If you exceed key vault service limits for requests per second, your key vault will be throttled, and the backup will fail."
As today, the backup mechanism for a KV is done by object and not for an entire KV, in my point of view, you can be impacted by the number of concurrent backup jobs that will be launched to backup all your objects with their incoming versions.
It's my understanding, maybe not the reality.