Skip to main content
Version: v0.4.0

Automatically Invalidate Azure Key Vault Secrets

The Arcus.BackgroundJobs.KeyVault library provides a background job to automatically invalidate cached Azure Key Vault secrets from an ICachedSecretProvider instance of your choice.

How does it work?

This automation works by subscribing on the SecretNewVersionCreated event of an Azure Key Vault resource and placing those events on a Azure Service Bus Topic; which we process in our background job.

Automatically Invalidate Azure Key Vault Secrets

To make this automation operational, following Azure Resources has to be used:

  • Azure Key Vault instance
  • Azure Service Bus Topic
  • Azure Event Grid subscription for SecretNewVersionCreated events that are sent to the Azure Service Bus Topic


Make sure that you have registered the Arcus secret store so an ISecretProvider/ICachedSecretProvider is available to auto invalidate. This is usually done in the Program.cs. See our dedicated documentation for more information on the secret store.

using Microsoft.Extensions.Hosting;

public class Program
public static void Main(string[] args)

public static IHostBuilder CreateHostBuilder(string[] args) =>
.ConfigureAppConfiguration((context, config) =>
.ConfigureSecretStore((context, config, builder) =>
var keyVaultName = config["KeyVault_Name"];
.ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>());

Our background job has to be configured in ConfigureServices method:

using Arcus.Security.Core;
using Arcus.Security.Core.Caching;
using Microsoft.Extensions.DependencyInjection;

public class Startup
public void ConfigureServices(IServiceCollection services)
// Prefix of the Azure Service Bus Topic subscription;
// this allows the background jobs to support applications that are running multiple instances, processing the same type of events, without conflicting subscription names.
subscriptionNamePrefix: "MyPrefix"

// Connection string secret key to a Azure Service Bus Topic.
// Make sure that this key is available in the Arcus secret store.
serviceBusTopicConnectionStringSecretKey: "MySecretKeyToServiceBusTopicConnectionString");

← back