Reputation: 905
Issue with Azure function configuration object caching
My Application settings of Azure function app, has keyvault reference like @Microsoft.KeyVault(SecretUri=https://myvalut.vault.azure.net/secrets/mySecret/), whenever new version of "mySecret" introduced in keyvault, Azure function still renders the old/stale value not the latest value/version of "mySecret".
If I open up app setting using KUDU (https://myhttpfunc.scm.azurewebsites.net/api/settings) I can see "mySecret":"onemoretry" where "onemoretry" is the old value. Only Azure func app restart updates "mySecret" with new value.
How to make Azure function which uses keyvault reference to fetch latest value/version of the targeted keyvault secret as & when it get updated, without Azure function restart?
Upvotes: 1
Views: 1552
Answers (2)
Reputation: 3292
The reference is intended for application configuration, which is typically fetched and cached on startup or first use (the latter in this case). It's not intended to fetch every time. If you want lifetime management via ETags, for example, you might consider Azure Application Configuration. If you need those values to be encrypted at rest with only a limited set of people able to access, you'll not be able to use secrets this way but instead will have to call into Azure Key Vault yourself, but you should still cache the value for a limited time: Key Vault has very low rate limits, so if your function gets a lot of calls in a short period of time some of those may get throttled and fail (there is a built-in retry policy, but that won't help if requests keep getting queued up in rapid succession).
For example, you could just fetch the secret yourself (assumes C# since it wasn't evident what language you were using):
var vaultUri = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL") ?? throw new InvalidOperationException();
var client = new SecretClient(new Uri(vaultUri), new DefaultAzureCredential());
KeyVaultSecret secret = await client.GetSecretAsync("my-secret");
There are a number of in-memory caching mechanisms you could use depending on how your function is triggered, such as a timer that fires every so often and updates the secret itself. Key Vault doesn't support ETags, so each request will be for the key regardless of whether it's changed. You could query if the version changed, but that saves you little (you'd have to fetch the full secret anyway, so that's 2 requests where you could just fetch the secret in 1 request at each interval).
Upvotes: 1
Reputation: 1391
You can use the Resource Explorer. When you've found what you want to edit, it will actually tell you the endpoint you'll have to hit in order to interact with it.
Application settings will be available under:
subscriptions -> resourceGroups -> [your app's resource group] -> providers -> Microsoft.Web -> sites -> [your app name] -> config -> appsettings
You can thus use PUT with the supplied endpoint and alter the values as you need.
I haven't tried to use the REST API, and it might not work as you want it to; where the values you update should override what is cached.
More info:
https://learn.microsoft.com/en-us/rest/api/appservice/WebApps/UpdateApplicationSettings
http://blog.davidebbo.com/2015/12/calling-arm-using-plain-rest.html
Upvotes: 0
Related Questions
- Azure Function configuration does not get latest version of Key Vault secret
- Function app can't read key vault secrets - bad request
- Storing Azure Function secrets: Startup.Configure is not executed
- Azure function ModuleNotFound error 'azure.keyvault'
- Azure functions key vault app settings not working
- Unable to save Application Settings in Azure Function App which I was able to save successfully previously
- Azure Function App's ConfigurationManager.AppSettings return nulls
- Azure functions runtime configuration
- running Azure Function in VS and error on reading Application settings
- Azure Function error - 'The Keys feature is not available because Authentication/Authorization is enabled for this Function App.'