Azure Function App use latest version of Key Vault Secret via Application Settings

0
votes

I have a Linux Function App running on Consumption Plan that is using a Key Vault Reference in the Application Settings to retrieve and use a secret stored in an Azure Key Vault.

This works fine so far.

However, we have to change that secret every day (i.e. create a new version of that secret in the Key Vault and set an activation date for that secret) and would like to have the Function App automatically retrieve and use the new version as soon as its activated without having to manually change the Kev Vault reference to the new version of the secret.

Is this currently possible and how can this be achieved?

2
azureazure-functionsazure-keyvault
There isn't a way of doing this yet. You need to do some sort of fetch your self. But then again, the secrets will be fetched on easy cold start. You need to create some sort of functionality that makes sure that the functions is restarted properly when it doesn't run. I don't know how to do it.mslot

2 Answers

2
votes

It is currently not possible to do this.

https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references

Versions are currently required. When rotating secrets, you will need to update the version in your application configuration.

Restarting your function will not help you in any way, since rotating the secret means that you also create a new version of the secret. This is probably also why it is not supported at the moment. AppService does not get notified when a new version is available, and you probably don't want your AppService to restart automatically when you update a secret in KeyVault.

You either need to fetch the latest active secret manually in your function code, or update the reference via some other method. I would probably prefer the first method, since it can work without having to restart your AppService.

https://docs.microsoft.com/en-us/samples/azure-samples/app-service-msi-keyvault-dotnet/keyvault-msi-appservice-sample/


    AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();

    try
    {
        var keyVaultClient = new KeyVaultClient(
            new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

        var secret = await keyVaultClient.GetSecretAsync("https://keyvaultname.vault.azure.net/secrets/secret")
            .ConfigureAwait(false);

        ViewBag.Secret = $"Secret: {secret.Value}";
        
    }
    //...
}
1
votes

This is now supported.

https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references#rotation

If a version is not specified in the reference, then the app will use the latest version that exists in Key Vault. When newer versions become available, such as with a rotation event, the app will automatically update and begin using the latest version within one day. Any configuration changes made to the app will cause an immediate update to the latest versions of all referenced secrets.