Azure function app caching issue with key vault reference

[TestUser0811]

My Application settings of Azure function app, has keyvault reference like @Microsoft.KeyVault(SecretUri=https://myvalut.vault.azure.net/secrets/mySecret/), whenever new version of "mySecret" introduced in keyvault, Azure function still renders the old/stale value not the latest value/version of "mySecret".

If I open up app setting using KUDU (https://myhttpfunc.scm.azurewebsites.net/api/settings) I can see "mySecret":"onemoretry" where "onemoretry" is the old value. Only Azure func app restart updates "mySecret" with new value.

How to make Azure function which uses keyvault reference to fetch latest value/version of the targeted keyvault secret as & when it get updated, without Azure function restart?

Can you please clarify whether the value returned would be cached on the Azure function app or if it would incur a request to KeyVault every time that App Setting was queried by the code?

If function app needs to be restarted everytime after keyvault secret vault update then what is the purpose of the below keyvault reference support without version number? @Microsoft.KeyVault(SecretUri=https://myvalut.vault.azure.net/secrets/mySecret/),

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 7feaa3d0-7233-a3cb-cb9b-a9a55b1f0d7a
• Version Independent ID: f41f9d51-52f8-1f45-1043-1344a3b74458
• Content: Use Key Vault references - Azure App Service
• Content Source: articles/app-service/app-service-key-vault-references.md
• Service: app-service
• GitHub Login: @mattchenderson
• Microsoft Alias: mahender

[TestUser0811]

Some quick update would be appreciated.

[Karishma-Tiwari-MSFT]

The scope for these doc issues is to help identify gaps and issues with the documentation. Is there something in any specific Azure doc you are looking to have updated or are having issues with? If yes, please provide us with the link to the documentation you are referring to so we can better assist.

Else, if you are looking for help with debugging issues I would suggest reaching out to the MSDN and Stack Overflow communities. Our team will help you there.

[TestUser0811]

It is not about the document, it is more about the functionality of App services as I have mentioned in my original post. Can you move this concern or tag right team to answer/clarify the query?

[PramodValavala-MSFT]

@TestUser0811 I believe this is the current intended behavior. The secret is fetched when the function first warms up and if the function were to scale down to zero, it will pick the latest secret at the time of warming up again.

@mattchenderson Could you please confirm and share more insights here?

We are assigning this issue to the content author for further review and to update the docs accordingly.

[TestUser0811]

@PramodValavala-MSFT @mattchenderson,
"The secret is fetched when the function first warms up and if the function were to scale down to zero" this statement of yours is not true.

Only function app restart is fetching the latest secret & it is painful to restart function app every time you update the keyvault secret version & it is definite caveat Microsoft has to patch out.

Even tried out updating the function app's application settings with the newly version of keyvault secret by using the REST API & the application settings value get updated as expected but still function is rendering the previous value of the keyvault secret not the latest value. Function App considering the latest version of the secret only after its restart.

Help me with the possible solution where function can able to pick up the latest value of key vault secret version with out Function App restart.

Format of Keyvault reference configured Function App's application setting, @Microsoft.KeyVault(SecretUri=https://myvalut.vault.azure.net/secrets/mySecret/),

[TestUser0811]

some update would be appreciated.

[kmnalluri]

Does restarting the function app pick up the latest value? It didn't seem to work for me. What I had to do is to make a minor update to the url. Actually removed the "/" at the end and saved it. Then it picked up the latest.

[avanti-ac]

We are facing this as well. Tried restarting the function app, removed the "/" from key vault url, but the function app picks up the old secret value.

[johnmc-tc]

This really needs to be fixed - a restart should clear any cache being used!

[kkurkowski]

Use the "SecretVersion" in your configuration reference. @Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret;SecretVersion=ec96f02080254f109c51a1f14cdb1931) Use Key Vault reference

[johnmc-tc]

Use the "SecretVersion" in your configuration reference. @Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret;SecretVersion=ec96f02080254f109c51a1f14cdb1931) Use Key Vault reference

That would mean updating configuration when keyvault value has a new version added, which is not viable or acceptable in most cases.

[johnmc-tc]

Is there any update on this obvious problem? It really needs to be resolved - restarting and stopping and then starting the function app has no effect on the function app seeing the new KV value.

[dhardie]

Restarting my FA didn't pick up the latest KV value :(

[pbhakuni]

I am also facing the same issue. Was there any resolution around this?

[xigolle]

Same issue. Refreshing the app-service doesn't fetch newest value. I need to make a change in the config of the app service and save that. It will ask for a refresh and that will trigger it.

[stefan-schweiger]

@PramodValavala-MSFT @Karishma-Tiwari-MSFT @mattchenderson Also having the same issue with AppServices, restarting isn't enough to get the most recent secret value. I can even disable all older versions in my keyvault and it still uses the old version. Because of this I'm fairly certain that this is a caching issue.

After a certain time and restarting it just works. I guess this happens when the cache TTL is finally reached.

[vechkar]

Any update on this issue? Function restart is not picking the latest version of the KeyVault secrets, only configuration change refreshes the latest version of the KeyVault secrets. Its high maintenance to continue with workaround if secret is referenced in multiple functions/app services.

[stefan-schweiger]

My solution for now is to specify ;SecretVersion=... in the config, but this is a major pain point as you need to update this everytime you update your secret

[KostovBG]

I have the same issue. This "cache" persists even through multiple app restarts and code redeployments. Using a SecretVersion is not a solution but a workaround and it means I have to write even more automation to handle this.

[AlphaWong]

same here. in our case, the cache can live up to 5 hours and even we restart the function app and it still cannot flush the cache.

[m3talstorm]

This madness caused us a 6-hour P1 recently.

[phazlett]

This is burning me too and I say that this is nothing more than pure poop! MSFT, can you please fix this?

[AaliAlikoski]

I am also suffering on this. Function (v4 isolated) is still seeing the old value even though the function is restarted. Pls fix this!

[alexander-lanin]

We just had the same issue with Function App (2 instances P1V3). Changing KeyVault reference using SecretVersion and roll it back without SecretVersion works for our issue.

[tlaukkanen]

Same here with Function App v4 (P1V3). Looking forward on getting this fixed to save hours of troubleshooting in the future 😅

[tonitakala]

+1 for this issue to be fixed - should pick up latest version by default

[idusortus]

+1

[plamber]

We would also appreciate a fix for this. A restart should not use the cached value

[twilson-gl]

Same problem here. Please fix it.

[bcline760]

Adding on to the pile, here. At minimum, a function app restart or code redeployment should cause a cache refresh. With a properly set up CI/CD, it's a mere button click to restart/redeploy to pick up new value, and I don't mind that.