How is secrets resolved when using environment variable reference in a Azure WebApp

Question

I have an environment variable that references a secret in Azure KeyVault:

  {
    "name": "SECRET",
    "value": "@Microsoft.KeyVault(SecretUri=https://keyvault_name.vault.azure.net/secrets/secret_name/)",
    "slotSetting": false
  }

This is loaded when on Startup.cs in my web api solution:

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddOptions<Secret>().Configure(o => o.ClearText = Configuration["SECRET"]);

        services.AddControllers();
    }

How is the secret resolved? Is it resolved on every option call? Eg everytime it gets injected into my constructor, or is it resolved when the environment variable is resoved and loaded into the Configuration object?

Reason why I ask is that every call to the vault costs a tiny bit, but it all adds up.

UPDATE

I have added this as an issue on github: https://github.com/MicrosoftDocs/azure-docs/issues/44064#event-2855607916

Answer 1

Based on my testing, Azure web app will load data from Azure key vault in two scenarios :

1. You submitted a Application settings modify request to Azure.
2. You restart your Azure Web app.

Your secret will be cached in Azure app service. You can try this scenario : After you add an environment variable that references a secret in Azure KeyVault , create a new version with different value in Azure key vault , you will found that the value in Azure web app will not change : still the old version.

It will not change until you restart your web app or modify your Application settings on portal again.

I also checked metrics of my Azure key vault, I called my Azure web app to retrieve the secret I configed in app settings for about 10 times , but the access metrics of my Azure key vault at that time point is 0. But when I restart my web app , the access metrics of Azure key vault will increase .

Hope it helps .