Reputation: 404
azure key vault - lag on secret changes
I have an Azure Function with SqlConnectionStr setting, the value is taken from Azure Key Vault's secret using following syntax:
@Microsoft.KeyVault(VaultName=MyKV;SecretName=SqlConnectionStr)
In the configuration panel I can see it properly understands it as a "Key vault reference", however, when I updated the SqlConnectionStr secret's value in the key vault, I can see the Azure function is still using the old value. It's been 2 hours ago and still nothing. The code that uses the value:
_log.LogInformation($"opening SQL connection");
var cstr = Environment.GetEnvironmentVariable("SqlConnectionStr", EnvironmentVariableTarget.Process);
using var sqlConnection = new SqlConnection(cstr);
...
Meanwhile I tried restarting the Azure Function several times but that didn't help. This is on production env, I did the same on test a few days ago and experienced the same behavior, after some time (hours) the new value was finally being used by the function.
Is it something that I'm doing wrong? Is it normal behavior? Am I misusing Azure Key Vault with my scenario?
Upvotes: 4
Views: 1826
Answers (2)
Reputation: 2837
At the time of posting this answer, forcing restart the web app or save the configuration won't trigger an immediate re-fetch of all referenced secrets.
An alternative way could be A. Delete and re-create the secret in key vault or B. Change the configuration item to de-reference the secret (to a plain string value) and save it. Then reference the secret and save it again.
Upvotes: 1
Reputation: 6192
It takes time to rotate as stated in the documentation:
If the secret version isn't specified in the reference, the app uses the latest version that exists in the key vault. When newer versions become available, such as with a rotation event, the app automatically updates and begins using the latest version within 24 hours. The delay is because App Service caches the values of the key vault references and refetches it every 24 hours. Any configuration change to the app causes an app restart and an immediate refetch of all referenced secrets.
You can also force it to use a particular version of your secret by adding the SecretVersion in the reference.
Upvotes: 4
Related Questions
- Azure Function Key Vault reference mapping for keys
- Azure Key Vault to run Azure Function App in ADF pipeline
- Move Azure Function connection to Azure Key Vault
- Azure Key Vault Certificate Difference Between Certificate Identifier, Secret Identifier, Key Identifier
- Azure Key Vault reference in Azure App Service
- Handling key rotation in azure function app which pulls latest secret version from key vault
- Azure Functions Configuration Key Vault Provider not working
- Access Denied when accessing Azure Key vault from Azure Functions
- Unable to Access Azure Key Vault from Function - Returns Forbidden
- Key Vault Settings in Azure App Settings with no code