Azure Function configuration does not get latest version of Key Vault secret

Asked 14/9, 2021 at 10:18 Answered 1/10 at 11:9

The function never reads the latest version of the secret. It always reads the first one it was configured to use, i.e. the versioned one. Even after restarting the function or re-publishing it, it always reads the versioned secret it was first configured to use.

Created a function with a versioned Key vault Reference of the form:

 TheSecret
   @Microsoft.KeyVault(SecretUri=https://name.vault.azure.net/secrets/TheSecret/__version__)

and in the Function:

if (!int.TryParse(Environment.GetEnvironmentVariable("TheSecret"), out int theSecret))
{
    theSecret = 10;
}

The first time the function runs it retrieves the specific version of the secret.

Created a new version of TheSecret in the Key Vault and change the function application configuation to the non-versioned type:

TheSecret
@Microsoft.KeyVault(SecretUri=https://name.vault.azure.net/secrets/TheSecret/)

Barahona answered 14/9, 2021 at 10:18 Comment(0)

As you have not specified the version then it uses the latest version in the key valut. As per the document When newer versions become available, such as with a rotation event, the app will automatically update and begin using the latest version within one day. Any configuration changes made to the app will cause an immediate update to the latest versions of all referenced secrets.

There are two ways in which the new value from Azure Key vault secret (referenced in Function app) is loaded:

Automatic (not forced) which happens on a 24-hour basis, as mentioned in document.
Configuration update (forced), which forces fetching the latest secrets while performing site update. The simplest way will be to update any setting in Settings\Configuration followed by a Save on this blade. This will also cause a restart. More details available here.

Despair answered 22/9, 2021 at 4:43 Comment(4)

Forced configuration update does not work. The documentation is wrong. I have created a configuration values specifically for this purpose. Updating this value, saving the configuration and waiting for the restart does NOT load the updated key vault secret. This "feature" is problem when testing/verifying changes and caused. Changes cannot be tested and verified at the time of making them. This means I am at the whim of RnG as to when my change will happen in production. – Jennee 23/9, 2021 at 14:4

I was having the same problem here. Restarting or Stop and Starting the App Service wasn't working for me. But When I added a new setting and saved, it worked. Maybe this was a bug when this answer was posted by @MayankBargali-MSFT , but it seems to be working as it should now. BTW, I'm using the alternative syntax, since it is simpler and easier to read. – Measures 22/7, 2022 at 19:2

Thank you all for this so that I didn't think I was going crazy – Borak 27/10, 2022 at 19:3

Seems to be related to the "frozen" issue github.com/Azure/azure-functions-host/issues/8269. – Hangeron 4/5, 2023 at 10:55

Microsoft has introduced new feature to resolve this issue. On Environment variables view there is now action Pull reference values which does the following:

This will query Key Vault and App Configuration to update any values referenced by the app. Your site will restart in order to apply the new configuration.

Caryncaryo answered 1/10 at 11:9 Comment(0)

-1

Regarding things to try, here are a few;

Try removing the trailing slash - that could confuse it (though unlikely)
Alternatively, try using the other syntax form for this, @Microsoft.KeyVault(VaultName={vault_name};SecretName={secret_name})
Stop & start (not restart) the function app (I've seen this make a difference, though it shouldn't in theory)

If all these fail, disable the system msi, re-enable & confirm secret get permissions are assigned within the key vault policies. (note you will have to stop/start the function app after doing this)

Unthinkable answered 14/9, 2021 at 10:32 Comment(1)

I tested 'Stop and Start' as well as Restart several times. None of these approaches fetch the new version for a secret in key vault. – Jennee 23/9, 2021 at 13:59

Recommended topics

Hot tags