Azure KeyVault Configuration Provider reload values on change

Question

I'm using Azure Key Vault Configuration Provider to read some secrets at app startup. The secrets however keep rotating throughout the day and I want to be able to reload the new values when this rotation happens.

What I'm talking about is similar to the reloadOnChange api

.ConfigureAppConfiguration((context, config) =>
{
    config.AddJsonFile("appsettings.json", reloadOnChange: true);
})

Is this possible at all?

This is a webapi project so in practice, I could get away with manually reloading the values for every HttpRequest if that's better/more feasibe.

For the moment, I would get the secret everytime you need it from kv. There is a new `Azure App Config` feature (in preview). It is promising and will do what you're after: https://learn.microsoft.com/en-us/azure/azure-app-configuration/overview — Thomas, Jun 29 '19 at 05:52
You could also create an endpoint to reload the configuration: `IConfigurationRoot.Reload()` and invoke it anytime you update secrets in KV. — Thomas, Jun 29 '19 at 05:56
@Thomas The Azure App Config service is not the same thing as KV, it isn't for secret storage. — juunas, Jun 29 '19 at 09:07
@juunas thanks for your comment, I misread this line from the documentation: App Configuration complements Azure Key Vault, which is used to store application secrets. I thought it would provide a unified store that can alsoget secrets from kv. anyway thanks :-) — Thomas, Jun 29 '19 at 09:19

score 16 · Answer 1 · answered Jan 22 '20 at 02:14

Using Microsoft.Extensions.Configuration.AzureKeyVault (v3) you can do the following:

configurationBuilder.AddAzureKeyVault(new AzureKeyVaultConfigurationOptions
{
    Vault = configuration["KeyVaultUrl"],
    ReloadInterval = TimeSpan.FromMinutes(10),
    Client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(
       new AzureServiceTokenProvider().KeyVaultTokenCallback))
});

Now when you request for IConfiguration in your services, the KeyVault secrets will be available and refreshed based on your reload interval.

score 6 · Answer 2 · answered Nov 24 '21 at 11:31

Same thing as Bobby Koteski proposed, but with a newer Azure.Extensions.AspNetCore.Configuration.Secrets package, as Microsoft.Extensions.Configuration.AzureKeyVault is deprecated.

ReloadInterval is a time to wait between attempts at polling the Azure Key Vault for changes.

configurationBuilder.AddAzureKeyVault(
    new SecretClient(
        new Uri(configuration["KeyVaultBaseUrl"]),
        new ManagedIdentityCredential(configuration["UserAssignedManagedIdentityClientId"])
    ),
    new AzureKeyVaultConfigurationOptions()
    {
        ReloadInterval = TimeSpan.FromSeconds(1000)
    }
);

And a link to a source code to see how it actually works :)

Thanks for including the source code. I was curious what API calls were being used. — Tiamo Idzenga, Dec 10 '21 at 09:56

score 3 · Answer 3 · answered Jun 29 '19 at 10:49

3

Secrets are cached until IConfigurationRoot.Reload() is called. Expired, disabled, and updated secrets in the key vault are not respected by the app until Reload is executed.

Configuration.Reload();

For more details, you could refer to this article.

answered Jun 29 '19 at 10:49

Joey Cai

18,968
1
20
30

Hey, thanks. I know about this api. I was hoping to have this done automatically somehow. Or at least be able to automate it per Http request. Do you know if there's a way to do that? – reggaemahn Jun 29 '19 at 13:06
When you use this and reload in browser it will automate per Http request. – Joey Cai Jul 05 '19 at 09:25

Azure KeyVault Configuration Provider reload values on change

3 Answers3