Skip to main content
Version: v0.4.0

Automatic Azure Key Vault credentials rotation

The library Arcus.BackgroundJobs.KeyVault provides an extension on the message pump to restart the pump automatically when the credentials of the pump stored in Azure Key Vault are changed. This feature allows more reliable restarting instead of relying on authentication exceptions that may be thrown during the lifetime of the message pump.

See Arcus message handling for more information on message pumps and message handling.

How does this work?

A background job is polling for SecretNewVersionCreated events on an Azure Service Bus Topic for the secret that stores the connection string.

That way, when the background job receives a new Key Vault event, it will get the latest connection string, restart the message pump and authenticate with the latest credentials.


This features requires to install our NuGet package:

PM > Install-Package Arcus.BackgroundJobs.KeyVault


When the package is installed, you'll be able to use the extension in your application. Make sure that you have registered the Arcus secret store so the background job on which Azure Service Bus topic subscription it has to receive Azure Key vault events.

using Microsoft.Extensions.DependencyInjection;

public class Program
public void ConfigureServices(IServiceCollection services, IConfiguration configuration)
services.AddSecretStore(stores =>
string keyVaultName = configuration["ARCUS_KEYVAULT_NAME"];

// You should have a unique Job ID to identity the message pump so the automatic process knows which pump to restart.
string jobId = Guid.NewGuid().ToString();

services.AddServiceBusQueueMessagePump(secretName, options => options.JobId = jobId)
.WithServiceBusMessageHandler<OrdersAzureServiceBusMessageHandler, Order>()
// This extension will be available to you once you installed the package.
jobId: jobId,
subscriptionNamePrefix: "TestSub",

// The secret key where the Azure Service Bus Topic connection string is located that the background job will use to receive the Azure Key vault events.

// The secret key where the Azure Service Bus connection string is located that your target message pump uses.
// This secret key name will be used to check if the received Azure Key Vault event is from this secret or not.
messagePumpConnectionStringKey: secretName,

// The maximum amount of thrown unauthorized exceptions that your message pump should allow before it should restart either way.
// This amount can be used to either wait for an Azure Key Vault event or rely on the thrown unauthorized exceptions.
maximumUnauthorizedExceptionsBeforeRestart: 5);