Azure-docs: Documentation of the fact that Key Vault secrets are cached MUST be added to this page!
My team has been facing many bizarre issues with azure functions due to the fact that key vault referenced secrets are cached on the app service. We use key vault referenced secrets to retrieve secrets like SAS keys, that expire after a few hours. Because this behavior was not referenced in this doc, my team has wasted hours of several engineers' time trying to debug this issue. This behavior HAS to be documented here, and preferably you'd also link to the Key Vault documentation that also references how to reload the cached key vault referenced secrets (https://docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-3.1#reload-secrets)
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 7feaa3d0-7233-a3cb-cb9b-a9a55b1f0d7a
- Version Independent ID: f41f9d51-52f8-1f45-1043-1344a3b74458
- Content: Use Key Vault references - Azure App Service
- Content Source: articles/app-service/app-service-key-vault-references.md
- Service: app-service
- GitHub Login: @mattchenderson
- Microsoft Alias: mahender
nofield
All 6 comments
@nofield Thanks for the feedback. We are actively investigating and will get back to you soon.
TravisCragg-MSFT
on 16 May 2020
@nofield it sounds like you are not using a reference to a specific version of a secret?! This is not fully supported, see here https://github.com/MicrosoftDocs/azure-docs/issues/41917#issuecomment-551234263
sebader
on 18 May 2020
@nofield, As sebader pointed out you could try the workaround mentioned in the other GitHub thread and let us know if it helps your case.
Your feedback has been shared with the content owner (@mattchenderson) for further review and update the document as appropriate.
Thanks again for taking time to share your valuable feedback with us.
AjayKumar-MSFT
on 21 May 2020
@sebader the fact of the matter is, it is supported, because it works. If it is only partially supported, where is that in the documentation? Also, as someone mentioned in the issue you pointed out, "This feature really does need a LATEST VERSION of a secret to be useful here. Hard-coding secret version numbers is doomed to failure". You can't expect users to need to go hunting through all github issues before using a feature.
All I'm asking for here, though, is the explanation of functionality, and the expected behavior. Whether I'm using version numbers or not, the function caches the values, which is mentioned _nowhere_ in the actual documentation; it's only mentioned in (now multiple) issues.
nofield
on 22 May 2020
@mattchenderson, Requesting your comment on this.
AjayKumar-MSFT
on 21 Jul 2020
This is a fair request. The site may be running with an existing value, and we can call out compensating behavior with Event Grid rotation events, etc.
I will get this updated in the doc.
mattchenderson
on 21 Jul 2020
Related issues
paulmarshall
·
3Comments
ianpowell2017
·
3Comments
jamesgallagher-ie
·
3Comments
JeffLoo-ong
·
3Comments
spottedmahn
·
3Comments
Most helpful comment
This is a fair request. The site may be running with an existing value, and we can call out compensating behavior with Event Grid rotation events, etc.
I will get this updated in the doc.