Azure-docs: Retrieve latest version of secret

@a9fagu Thanks for the feedback! We are currently investigating and will update you shortly.

@a9fagu they do support it: https://blog.eldert.net/reference-key-vault-secret-latest-version/

@SnehaAgrawal-MSFT adding this to the documentation is very much needed.

@a9fagu & @gorgi Thanks again for the feedback! I have assigned the issue to the content author to review further and update the document as appropriate.

I'm probably missing something but retrieving the latest version is not working after updating the secret.

I have a secret called "mySecret" in a key vault and I'm using the following reference format (I tried both and none work):
@Microsoft.KeyVault(VaultName=;SecretName=mySecretKey;SecretVersion=)

It works the first time I add the reference to the app settings but if I change the secret value to something else after that, it will always read the original value.

@CCostaT I noticed the same thing. There is some hard caching in place. Restarting the service doesn't clear the cache, but you would have to stop the service (Azure App Service or Function) and start it again in order for the new value to be retrieved.

@gorgi Yup it does look like it. I wonder if there's a better place to report this to get it fixed faster.

I cant use this without the version. I am on webapp for container, and using .NET Core 3.0. What are you using, @gorgi?

Hmm. After more inspection it looks like I had some errors in my config. It is working for webapp for containers and .NET Core 3.0.

This could actually be nice to know if this is going to be official supported, or this is a "hidden feature", that is going to be removed soon, or changed. I want to use this in production, but i dont want to break things.

I would argue this is not just a "nice to know" but a "must know" if we intend to use it in production environments, otherwise we risk having production outages at any random time. I would also like to leverage this behavior for the same reasons as explained above. I'm hopeful @SnehaAgrawal-MSFT can clarify soon if this behavior is officially supported and if we can rely on it for our prod services.

Is this going to be official supported? Or?
@SnehaAgrawal-MSFT it could actually be nice to know if, behind the scenes, the retrieval of the secret is using this extension, if the secret added as an environment variable without a version:

public static System.Threading.Tasks.Task<Microsoft.Azure.KeyVault.Models.SecretBundle> GetSecretAsync (this Microsoft.Azure.KeyVault.IKeyVaultClient operations, string vaultBaseUrl, string secretName, System.Threading.CancellationToken cancellationToken = null);

The extension method is taken from this documentation: https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.keyvault.keyvaultclientextensions.getsecretasync?view=azure-dotnet-legacy#Microsoft_Azure_KeyVault_KeyVaultClientExtensions_GetSecretAsync_Microsoft_Azure_KeyVault_IKeyVaultClient_System_String_System_String_System_Threading_CancellationToken_

Because if it is so, then i would argue that it is official supported. I would also argue that it should be noted in the documentation of the documentation about environment variables, that the feature exists, because it is a very good feature to have included. I would actually argue that it is a very good selling point when looking into what vault provider should be used when storing secrets.

Lately i've been having problems with retrieving the secret without the version. When i deploy my function with an ARM template, it gives errors that the key vault reference is invalid, which result in the function host not starting since it is not resolved. When i change it to specific version, it seems to work. I know it still has not been confirmed that it is officially supported, but any one else having these issues?

@psyduck101 I used it without a version in a function app recently. Make sure you specify the URL properly:

@Microsoft.KeyVault(SecretUri=https://{vault-url}/secrets/SecretName/)

The forward slash at the end might be the issue with your configuration?

The url is matching with what you specified, including the forward slash. It seems to have worked in the past, it just seems to be the last couple of weeks with ups and downs. I double checked my keyvault and function on possible settings, but these are all open.

I found out that it was related to the arm template creation of resources being out of order, and the vault didn't contain the accesspolicy yet, the moment the site was created. Thanks for the help :)

I find that when I specify the version, it works. When I don't, it fails, and the Key Vault diagnostic troubleshooter tells me that there's no access policy for the consuming app. when you check it, of course the access policy is there, because it just works when you put the version back on the reference.

In Oct 2019, @mattchenderson said (twitter):

We’re working on support for versionless config, and we will document it when ready.

How did that turn out Matt?