7

Below is the Key-Vault problem which I am facing.   I have a Key-Vault which stores some keys which is used in web-app and functions using @Microsoft.KeyVault(SecretUri=)   The value of the secret will change every three days using an automation. That will change the version number (GUID) as well and then the app setting value (atleast one in case of Primary and Secondary) will become invalid. Is there any way I can refer the latest value from the KeyVault in app settings. Updating the app settings in all the website will be a tedious process.

Kaushik Gayal
  • 133
  • 1
  • 7
  • 1
    From this question, you could don't specify the version number to get the secret. You could have a try.https://stackoverflow.com/questions/48432376/how-to-get-the-latest-secret-version-value-from-azure-key-vault-in-one-rest-api – George Chen Apr 03 '19 at 07:14

5 Answers5

8

For my App Service, I did have success using a Key Vault reference in the form below with no version:

@Microsoft.KeyVault(SecretUri=https://<vault_name>.vault.azure.net/secrets/<secret_name>/)

However, I did have to Stop and Start (not Restart) the App Service to pull in the new secret value from the key vault.

CharlieNoTomatoes
  • 481
  • 7
  • 7
  • 1
    That forward slash at the end "/" fixed my issue. Just restarting the app service worked for me – David Smit Oct 16 '19 at 09:16
  • Thanks. It only worked after doing a stop and restart of my web app. Thats so bad Microsoft :(. Restart did not work for me either. – Stephane Jan 15 '20 at 19:12
  • 1
    I use `"@Microsoft.KeyVault(VaultName=myvault-kv-dev;SecretName=myKeyName)"` nad even when I stop and start it does not refresh my secrets. I have to do redeploy. It is not good because it is my main purpose to avoid redeploy when secret change... – zolty13 Apr 29 '21 at 11:59
  • 1
    @zolty13 Did you manage to solve it or create a workaround? Neither restart or start/stop is working for me (strange if I update a dummy environment variable just for the purpose of Azure doing a different kind of restart then the value is reloaded but I do not want dummy variables) – Chevul Ervin Feb 22 '22 at 13:21
  • In my new project I use key vault reference in ARM templates so I change secrets in ARM or manually if necessary – zolty13 Feb 23 '22 at 17:23
  • @Stephane I went to "Deployment Center" and added a "Start up file or command", I entered a space in there so I could "Save" the changes. Then I removed the space character and Saved it again. That is then "re-deployed" with the latest secret value. – Edgaras Jun 26 '23 at 11:01
3

Key Vault references are currently in preview.

A Key Vault reference is of the form @Microsoft.KeyVault({referenceString}), where {referenceString} is replaced by one of the following options:

  1. SecretUri=secretUri

where SecretUri should be the full data-plane URI of a secret in Key Vault, including a version, e.g., https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931

  1. VaultName=vaultName;SecretName=secretName;SecretVersion=secretVersion

where VaultName should the name of your Key Vault resource. The SecretName should be the name of the target secret. The SecretVersion should be the version of the secret to use.

For example, a complete reference would look like the following:

@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)

Alternatively:

@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret;SecretVersion=ec96f02080254f109c51a1f14cdb1931)

In the current preview, versions are required. When rotating secrets, you will need to update the version in your application configuration.

Ketan
  • 1,530
  • 7
  • 16
  • Then I may need to create a run book to update the version in all app settings of websites and functions and trigger that run book using the automation which is changing the secret value . – Kaushik Gayal Apr 03 '19 at 06:52
  • Exactly!, It could be a runbook or a rest call. https://learn.microsoft.com/en-us/rest/api/appservice/webapps/updateapplicationsettings – Ketan Apr 03 '19 at 06:56
1

Restarting the app service didn't take effect immediately, so this is what I did.

  1. Delete the secret variable from KeyVault.
  2. Purge the deleted variable (so that you can create a new one with the same name)
  3. Create the secret variable again using the same name and with its new value.
  4. Optional: Resave any configuration settings having @Microsoft.KeyVault(SecretUri=... so it refreshes its internals. Although we did not change anything, sometimes you get a dreaded error Keyword not supported: @microsoft.keyvault(secreturi... blah blah
Ε Г И І И О
  • 11,199
  • 1
  • 48
  • 63
  • Had to do the same, disappointing that it's so involved. Next time I will create a second secret and switch to using that before deleting the first one. – Rob Sedgwick Apr 01 '22 at 08:16
0

With Azure Python SDK you can do something like this:

kv_client.get_secret("https://%kvname%.vault.azure.net/", name, KeyVaultId.version_none)
# or this
kv_client.get_secret("https://%kvname%.vault.azure.net/", name, "")

both of these will pull the latest version of the secret. so I assume that doing this in the code in c# would be more or less identical (or at least possible). Not so sure about the appsettings of web apps =\.

You can, probably, use some sort of automation (like powershell) to update those.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
0

On the Web App > Configuration > Connection strings, juste update the current value of the property for whatever and then back to the original value did the trick. No need to restart the service.

Leandro Carvalho
  • 161
  • 1
  • 4