AzureAzure Key VaultSecurity

azurerm_key_vault cost estimation

A managed secret, key, and certificate store. Two tiers: Standard (pay-per-operation) and Premium (HSM-backed keys, higher rate).

An azurerm_key_vault stores secrets, encryption keys, and certificates. Pricing is per-operation, not per-vault.

Two tiers with different operation rates:

Standard tier (the default): software-protected keys. Secrets and standard cryptographic operations bill at $0.03 per 10,000 operations. Certificate operations are $3 per renewal.

Premium tier: HSM-protected keys backed by hardware security modules. Key operations bill at $1.00 per 10,000 operations (33x more than Standard). Standard operations on Premium vaults still cost $0.03/10K. Used when FIPS 140-2 Level 3 compliance requires HSM-backed keys.

Important differences from AWS Secrets Manager:

Azure Key Vault has no per-secret monthly fee. AWS Secrets Manager charges $0.40/secret/month. For accounts with many secrets, Key Vault is significantly cheaper.

Azure SSM Key Vault charges per operation. AWS pricing is mostly per-secret. The crossover depends on access frequency.

Managed HSMs (azurerm_key_vault_managed_hardware_security_module) are a separate resource with much higher fixed cost (~$4/hour for the smallest tier). Right when you need a dedicated HSM and FIPS 140-3 compliance.

Key rotation, soft delete, purge protection, and RBAC are all free features.

c3x estimates Key Vault based on the tier (Standard vs Premium). Operation count is usage-based via c3x-usage.yml.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "azurerm_key_vault" "main" {
  name                = "production-keyvault"
  resource_group_name = azurerm_resource_group.main.name
  location            = "eastus"
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"

  soft_delete_retention_days = 14
  purge_protection_enabled   = true
  enable_rbac_authorization  = true

  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
  }
}

resource "azurerm_key_vault_secret" "db_password" {
  name         = "production-db-password"
  value        = var.db_password
  key_vault_id = azurerm_key_vault.main.id
}

Pricing dimensions

What you actually pay for when you provision azurerm_key_vault.

DimensionUnitWhat's being charged
Standard operationsper 10,000 operationsSecrets gets, sets, and other standard cryptographic operations on software-protected keys.
$0.03/10,000 operations
Premium key operationsper 10,000 operationsOperations on HSM-backed keys in a Premium tier vault.
$1.00/10,000 operations
Certificate renewalsper renewalCertificate operations are billed separately from key operations.
$3.00 per renewal
Vault resourcefreeNo per-vault or per-secret monthly fee. Cost is entirely usage-based.
$0

Optimization tips

Common ways to reduce azurerm_key_vault cost without changing the workload.

Use Standard tier unless HSM compliance requires Premium

97% on key operations

Premium tier is 33x more per operation. Only use Premium when FIPS 140-2 Level 3 HSM requirements specifically apply.

Cache secrets in your application

Order-of-magnitude on operations

Reading the same secret on every request is expensive. Cache for 5-15 minutes per process. For a 10K-RPS app, this cuts operation costs from 10K/sec to ~1/process/15min.

Consolidate vaults by access pattern

Operational simplicity

Multiple Key Vaults don't cost extra (no per-vault fee), but the operational overhead of managing many vaults is real. Consolidate to one Key Vault per environment unless RBAC boundaries require separation.

Use managed identities, not SAS tokens

Marginal cost; major security

Each authentication is implicitly cheaper with managed identities (no SAS token operations needed). Modern Azure best practice anyway.

FAQ

How does Key Vault compare to AWS Secrets Manager?

Key Vault has no per-secret fee; AWS charges $0.40/month per secret. Key Vault charges per-operation; AWS request costs are negligible. For accounts with many secrets and moderate access, Key Vault is dramatically cheaper. For accounts with few secrets and very high access, Secrets Manager can be competitive.

Does c3x estimate Key Vault cost from Terraform alone?

Tier (Standard or Premium) is read from the resource. Operation count is usage-based; specify monthly_operations in c3x-usage.yml for an accurate estimate.

What about Managed HSM?

azurerm_key_vault_managed_hardware_security_module is a separate resource with a fixed monthly fee ($4/hour for the smallest tier ≈ $2,920/month). Right for very high-security requirements. c3x estimates it independently.

Are certificate operations expensive?

Each certificate renewal is $3. For 100 managed certificates renewed annually, that's $25/month on average. Not large, but worth knowing for compliance-heavy environments with many cert rotations.

Related resources

Azure
azurerm_linux_virtual_machine

Common Key Vault consumer

AWS
aws_secretsmanager_secret

AWS equivalent (Secrets Manager)

Google Cloud
google_secret_manager_secret

GCP equivalent (Secret Manager)

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including azurerm_key_vault.

Get StartedStar on GitHub
← Browse all Azure resources