Below is the Key-Vault problem which I am facing. I have a Key-Vault which stores some keys which is used in web-app and functions using @Microsoft.KeyVault(SecretUri=) The value of the secret will change every three days using an automation. That will change the version number (GUID) as well and then the app setting value (atleast one in case of Primary and Secondary) will become invalid. Is there any way I can refer the latest value from the KeyVault in app settings. Updating the app settings in all the website will be a tedious process.
Key vault value does not update if value changes in secret as it generates new version for the secret
Asked Answered
From this question, you could don't specify the version number to get the secret. You could have a try.#48432876 –
Swordfish
For my App Service, I did have success using a Key Vault reference in the form below with no version:
@Microsoft.KeyVault(SecretUri=https://<vault_name>.vault.azure.net/secrets/<secret_name>/)
However, I did have to Stop and Start (not Restart) the App Service to pull in the new secret value from the key vault.
That forward slash at the end "<secret_name>/" fixed my issue. Just restarting the app service worked for me –
Managua
Thanks. It only worked after doing a stop and restart of my web app. Thats so bad Microsoft :(. Restart did not work for me either. –
Warranty
I use
"@Microsoft.KeyVault(VaultName=myvault-kv-dev;SecretName=myKeyName)" nad even when I stop and start it does not refresh my secrets. I have to do redeploy. It is not good because it is my main purpose to avoid redeploy when secret change... –
Donald @Donald Did you manage to solve it or create a workaround? Neither restart or start/stop is working for me (strange if I update a dummy environment variable just for the purpose of Azure doing a different kind of restart then the value is reloaded but I do not want dummy variables) –
Mikemikel
In my new project I use key vault reference in ARM templates so I change secrets in ARM or manually if necessary –
Donald
@Stephane I went to "Deployment Center" and added a "Start up file or command", I entered a space in there so I could "Save" the changes. Then I removed the space character and Saved it again. That is then "re-deployed" with the latest secret value. –
Shwalb
Key Vault references are currently in preview.
A Key Vault reference is of the form @Microsoft.KeyVault({referenceString}), where {referenceString} is replaced by one of the following options:
SecretUri=secretUri
where SecretUri should be the full data-plane URI of a secret in Key Vault, including a version, e.g., https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931
VaultName=vaultName;SecretName=secretName;SecretVersion=secretVersion
where VaultName should the name of your Key Vault resource. The SecretName should be the name of the target secret. The SecretVersion should be the version of the secret to use.
For example, a complete reference would look like the following:
@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)
Alternatively:
@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret;SecretVersion=ec96f02080254f109c51a1f14cdb1931)
In the current preview, versions are required. When rotating secrets, you will need to update the version in your application configuration.
Then I may need to create a run book to update the version in all app settings of websites and functions and trigger that run book using the automation which is changing the secret value . –
Spae
Exactly!, It could be a runbook or a rest call. learn.microsoft.com/en-us/rest/api/appservice/webapps/… –
Sailing
Restarting the app service didn't take effect immediately, so this is what I did.
- Delete the secret variable from KeyVault.
- Purge the deleted variable (so that you can create a new one with the same name)
- Create the secret variable again using the same name and with its new value.
- Optional: Resave any configuration settings having
@Microsoft.KeyVault(SecretUri=...so it refreshes its internals. Although we did not change anything, sometimes you get a dreaded error Keyword not supported: @microsoft.keyvault(secreturi... blah blah
Had to do the same, disappointing that it's so involved. Next time I will create a second secret and switch to using that before deleting the first one. –
Chesterchesterfield
With Azure Python SDK you can do something like this:
kv_client.get_secret("https://%kvname%.vault.azure.net/", name, KeyVaultId.version_none)
# or this
kv_client.get_secret("https://%kvname%.vault.azure.net/", name, "")
both of these will pull the latest version of the secret. so I assume that doing this in the code in c# would be more or less identical (or at least possible). Not so sure about the appsettings of web apps =\.
You can, probably, use some sort of automation (like powershell) to update those.
That’s the thing I don’t want to do. –
Spae
try passing an empty string to the secret version, also, if you do not want to do - doesnt mean you have any other options ;) –
Plus
Reason being: there will be n number of websites and function apps inside the organisation using the same logic to authorise requests based on those keys in app settings. If I use .net code to access vault instead of app settings, it will increase the time to process the request –
Spae
pass it to the app settings –
Plus
If there is any way the version number remains same that would be ideal for my case –
Spae
no, if you update the secret it will generate a new version –
Plus
On the Web App > Configuration > Connection strings, juste update the current value of the property for whatever and then back to the original value did the trick. No need to restart the service.
© 2022 - 2024 — McMap. All rights reserved.