Many versions of one secret in Key Vault

[jasperkpi]

Is your feature request related to a problem? Please describe.
I'm using Azure Key Vault for API keys that rotate every 10 minutes. It uses an OAuth2 flow, where the access_token is valid for 600 seconds. We safe the new refresh_token that is generated every rotation in the key vault. This means I have secrets with as much as 20.000 versions. When I use the SecretClient.list_properties_of_secret_versions it takes minutes to load all the versions. Is there any way to fix this?

Describe the solution you'd like
How can I prevent having to load so many versions? I try to get the latest 10 versions, not all 20k.

Describe alternatives you've considered
I've considered:

• Deleting old versions, which seems not to be possible. There's no "retention time" for versions. Only completely soft-delete the secret manually and rewrite as the same name - maybe?
• Sorting the request, but versions don't come date-sorted on the Get Secret Versions as I've found. They come hexadecimally sorted based on the version id, which is kinda useless?

I don't care there are 20k versions, I'm fine Azure apparently wants to keep them. I just want to view the last 10 or so. How would this be possible? Am I forgetting about an option? Thanks.

[github-actions]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @jlichwa @RandalliLama @schaabs.

[mccoyp]

Hi @jasperkpi, thank you for opening an issue -- I see how this scenario could be frustrating. @jlichwa, do you know if there's an option on the service's end to restrict the number of results we get from this operation?

[mccoyp]

@jasperkpi I tried reproducing your issue and found the same behavior; iterating over the full set of versions (after I had created 20,000) took a long time, and the sorting was deterministic but not chronological.

If your primary goal is just to get a small batch of secret versions for inspection, I would recommend using the by_page() method on the ItemPaged object you get back from list_properties_of_secret_versions. This will group the response into smaller pages that can be rapidly inspected. For example:

versions = client.list_properties_of_secret_versions(secret_name)
pages = versions.by_page()
single_page = next(pages)
for secret_properties in single_page:
    print(secret_properties.version)

The default page size is 25 entries, but you can change this by passing a smaller integer through a max_page_size keyword argument to list_properties_of_secret_versions.

If you specifically need the most recent versions of the secret, this seems to unfortunately require manual sorting (unless @jlichwa can comment on an alternative once he's back in the office). The other alternative could be to create new secrets instead of a new version of the same secret, though I understand how having a single secret name could be a requirement for shared referencing and simplicity.

[github-actions]

Hi @jasperkpi. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.