We have a CosmosDBTrigger based function that we use for processing changes to any document in our Cosomos DB collections. The function uses a connection string to the CosmosDB and we have the connection string stored in Azure KeyVault.
Recently, our cloud team started putting in a key-rotation policy and is looking at rotating the auth keys for the Cosmos DB.
As the connection string has the auth key embedded, on such an auth-key rotation, this could cause the function to run into a stale auth key and could cause the invocation to fail.
I am not sure how the Managed Identity / Service Prinicpal based access to Cosmos DB in this scenario works.
Anyone else ran into this kind of a scenario? Any pointers on how to handle changes to the Connection String in this kind of scenario? Is there a way to force Azure Functions to refresh bound parameters? Or any other way to have the function app restart and pick up the new connection string from the configuration?
Much appreciate any pointers.
Here is the sample CosmosDBTrigger binding that we are using.
public async Task MyCosmosDbTriggeredFunction([CosmosDBTrigger(
databaseName: "%CosmosDbName%",
collectionName: "MyCollection",
ConnectionStringSetting = "CosmosDbConnectionString",
// ConnectionStringSetting = "CosmosDbLocalEmulator",
LeaseCollectionName = "MyCollectionLogLeases",
CreateLeaseCollectionIfNotExists = true)]IReadOnlyList<Document> documents, ILogger log)
{
// Do something
}
Thank you Regards Athadu
