Azure Key Vault service limits

Key transactions (maximum transactions allowed in 10 seconds, per vault per region1):

Key type Software key
CREATE key
Software-key
All other transactions
RSA 2,048-bit 20 4,000
RSA 3,072-bit 20 1,000
RSA 4,096-bit 20 500
ECC P-256 20 4,000
ECC P-384 20 4,000
ECC P-521 20 4,000
ECC SECP256K1 20 4,000

Note

In the previous table, we see that for RSA 2,048-bit software keys, 4,000 GET transactions per 10 seconds are allowed.

The throttling thresholds are weighted, and enforcement is on their sum. For example, as shown in the previous table, when you perform GET operations on RSA Software-keys, it's eight times more expensive to use 4,096-bit keys compared to 2,048-bit keys. That's because 2,000/250 = 8.

In a given 10-second interval, an Azure Key Vault client can do only one of the following operations before it encounters a 429 throttling HTTP status code:

  • 4,000 RSA 2,048-bit software-key GET transactions
  • 250 RSA 4,096-bit Software-key GET transactions
  • 249 RSA 4,096-bit Software-key GET transactions and 8 RSA 2,048-bit Software-key GET transactions

Secrets, managed storage account keys, and vault transactions:

Transactions type Maximum transactions allowed in 10 seconds, per vault per region1
All transactions 4,000

For information on how to handle throttling when these limits are exceeded, see Azure Key Vault throttling guidance.

1 A subscription-wide limit for all transaction types is five times per key vault limit.

Backup keys, secrets, certificates

When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob cannot be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography

Transactions type Maximum key vault object versions allowed
Back up individual key, secret, certificate 500

Note

Attempting to backup a key, secret, or certificate object with more versions than above limit will result in an error. It is not possible to delete previous versions of a key, secret, or certificate.

Limits on count of keys, secrets and certificates:

Key Vault does not restrict the number of keys, secrets or certificates that can be stored in a vault. The transaction limits on the vault should be taken into account to ensure that operations are not throttled.

Key Vault does not restrict the number of versions on a secret, key or certificate, but storing a large number of versions (500+) can impact the performance of backup operations. See Azure Key Vault Backup.

Object limits

Item Limits
Number of versions per key 100
Number of role assignments at each individual key scope 10