0

Below Http triggered Azure function running on consumption mode, not returning the latest secret value from Azure Keyvault even after idle time of 1 hour

Assumption as per az func scaling: Azure function app will be deleted (or) scaled down to zero when no requests received for -20mins.

If the above assumption is true, then Startup.cs will be called on the next invocation after idle time which will in turn connect to keyvault to get the latest value of secret & update appconfig.cs with latest secret value accordingly but this is not happening, even after the idle time still the old secret value is returned. This behavior implies function app may not be scaled down even after idle time.

why function app which hosts http trigger function not scaling down even after idle time?

Why this above mentioned behavior of returning stale secret value is observed? What needs to be done to overcome secret value staleness?

P.S: Currently function app restart only returning the latest secret value from key value.

Don't know here what I have misunderstood about server-less architecture of Azure function?

On Startup.cs

[assembly: FunctionsStartup(typeof(Startup))]
namespace SampleAzureFunction
{
     public class Startup : FunctionsStartup
     {
        private AppConfig _appConfig;
        public IConfigurationRoot _configuration;

        public override void Configure(IFunctionsHostBuilder builder)
        {      ​

            var configurationBuilder = new ConfigurationBuilder()
               .SetBasePath(currentDirectory)
               .AddJsonFile("appsettings.json", optional: false, reloadOnChange: true)
               .AddEnvironmentVariables();

            ​_appConfig = new AppConfig();
            ​_configuration = configurationBuilder.Build();
            ​ConfigurationBinder.Bind(_configuration, _appConfig);
             
            //here c# code to Update appConfig=>DBConfig=>PrimaryKey with secret value mentioned in keyvault using "KeyVaultClient" class in  Microsoft.Azure.KeyVault namespace
             .....
             .....

            builder.Services.AddSingleton<IAppConfig>(_appConfig);
        }
    }
}

On MyClass.cs

    namespace SampleAzureFunction
    {
        public class MyClass
        {
            private readonly IAppConfig _appConfig;
            public MyClass(IAppConfig appConfig)
            {
                _appConfig = appConfig;
            }

            [FunctionName("myfunc")]
            public async Task<IActionResult> RunAsync([HttpTrigger(AuthorizationLevel.Function, "get", Route = null)] HttpRequest req)
            {
                var secret= _appConfig.PrimaryKey;
                return secret; //always return old secret not the new secret update in keyvault even after fun app idletime of >1hour
            }
        }
    }

appsettings.cs

    {
      "IsEncrypted": false,
      "Values": {
        "AzureWebJobsStorage": ""
      },
      "AzureKeyVaultConfig: {
        "VaultUrl": ""   
      },
      "DBConfig": {
        "DBUri": "",
        "PrimaryKey": "", //not configured in appsettings but in keyvault
        "DBName": ""
      }
    }
191180rk
  • 735
  • 2
  • 12
  • 37
  • maybe I've missed something in you code, but unless you change appsettings.json it will always return the same value – Thiago Custodio Sep 07 '21 at 17:14
  • @ThiagoCustodio, In the startup.cs, Im using Keyvault SDK to retrieve secret from keyvault on every function invocation, so any latest changes to keyvault secret value should also be considered at least during every function app instance invocation right? – 191180rk Sep 07 '21 at 17:26
  • 1
    with the code you've provided I can't tell if your assumption is correct or not. One thing I would like to double check with you, are you retrieving the secrets using Secret URI? – Thiago Custodio Sep 07 '21 at 17:27
  • @ThiagoCustodio, Not using Secret URI, but using "KeyVaultClient" class in "Microsoft.Azure.KeyVault" namespace – 191180rk Sep 07 '21 at 17:32
  • First of all, the docs page you linked says "the platform may scale the number of instances on which your app runs down to zero", it doesn't say that it always happens. Also, in the snippets you share I see you are reading from the AppSettings, are those linked to the Key vault secrets? You can do this directly from the Portal, see this post: https://daniel-krzyczkowski.github.io/Integrate-Key-Vault-Secrets-With-Azure-Functions/ – gbellmann Sep 07 '21 at 19:11
  • Another thing to consider: do you have the "Always on" setting enabled? If so, your app will never scale to zero instances. – gbellmann Sep 07 '21 at 19:14
  • @gbellmann, thanks for suggestion for this suggestion "You can do this directly from the Portal", but intentionally not taken that path as we have our own class library to read secrets from keyvault. Also my Azure function running on consumption mode there is no 'Always on' option – 191180rk Sep 08 '21 at 03:49
  • Based on the initial investigations, we understood that in order pull the latest secret from key vault using azure function you need to perform any management operation (update , enabling & disabling of function or restart the function app) Here is the reference so thread : https://stackoverflow.com/questions/69063567/handling-key-rotation-in-azure-function-app-which-pulls-latest-secret-version-fr – VenkateshDodda Sep 13 '21 at 10:34
  • can't do any management operation on function app as our requirement wont allow that. To overcome the func app restart, tried out key vault SDK approach to fetch the secrets in Configure() of Startup.cs considering that new function app instance will get created after idle time which invoke Configure() of Startup.cs which will fetch new version of secret but http function don't seems to scale down even after idle time becoz of which old/cached version of secret is returned not the latest. So question is why function app which host http trigger function not scaling down even after idle time? – 191180rk Sep 13 '21 at 16:17

0 Answers0