Should Azure Functions app be restarted if a secret is updated in Key Vault?

Question

I'm trying to understand the integration between Azure Functions and Key Vault. In the application settings file on the portal, if I reference a KV endpoint, does the Function runtime retrieve the result once and cache it locally or does it hit the endpoint every time the config key is referenced? In other words, I'm trying to understand if any changes in KV will require the Function app to be restarted or not.

Answer 1

Update: Versions no longer required for Key Vault references in App Service and Azure Functions

If a version is not specified in the reference, then the app will use the latest version that exists in Key Vault. When newer versions become available, such as with a rotation event, the app will automatically update and begin using the latest version within one day. Any configuration changes made to the app will cause an immediate update to the latest versions of all referenced secrets.

---

If you use App Service Key Vault References, you will need to update the configuration value in the Azure Portal. Restarting will not change anything. This is because you are referencing an actual secret version. If you update the secret, you will get a new version.

Versions are currently required. When rotating secrets, you will need to update the version in your application configuration

See also Azure Function App use latest version of Key Vault Secret via Application Settings

Answer 2

For now, you don't need to restart your Azure function manually if you update a key value in Key Vault. The azure function will restart automatically for you to load all new values. Azure functions load values defined in application settings at the start stage, if you use App Service Key Vault References in your Azure function, the key value will also be loaded from Key Vault at the start stage. If you modify application settings on Azure Portal, your Azure function will get restarted to reload all settings:

These are my test steps:

My code is simple, just get the key value from application settings:

#r "Newtonsoft.Json"

using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;

public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
{
    log.LogInformation("C# HTTP trigger function processed a request.");

    string key = Environment.GetEnvironmentVariable("key");


    return new OkObjectResult(key);
}

My key config in application settings:

As you can see I did not involve SecretVersion, so that I can get the latest value in KeyVault. If you involve SecretVersion in application settings, as @Alex AIT said, you should modify application settings with the latest SecretVersion as well.

Before I modify the key value:

Then I update the key4demo value in Key vault as: 78910 The Azure function reply 503 which means it is restarting :

After few seconds, my function replys me with the latest value in KV:

Answer 3

no, no need to restart function or anything. Key Vault lives a separate life.

Answer 4

Microsoft Docs

If a version is not specified in the reference, then the app will use the latest version that exists in the key vault. When newer versions become available, such as with a rotation event, the app will automatically update and begin using the latest version within 24 hours. The delay is because App Service caches the values of the key vault references and refetches it every 24 hours. Any configuration changes to the app that results in a site restart causes an immediate refetch of all referenced secrets.