问题
I have a Linux Function App running on Consumption Plan that is using a Key Vault Reference in the Application Settings to retrieve and use a secret stored in an Azure Key Vault.
This works fine so far.
However, we have to change that secret every day (i.e. create a new version of that secret in the Key Vault and set an activation date for that secret) and would like to have the Function App automatically retrieve and use the new version as soon as its activated without having to manually change the Kev Vault reference to the new version of the secret.
Is this currently possible and how can this be achieved?
回答1:
It is currently not possible to do this.
https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
Versions are currently required. When rotating secrets, you will need to update the version in your application configuration.
Restarting your function will not help you in any way, since rotating the secret means that you also create a new version of the secret. This is probably also why it is not supported at the moment. AppService does not get notified when a new version is available, and you probably don't want your AppService to restart automatically when you update a secret in KeyVault.
You either need to fetch the latest active secret manually in your function code, or update the reference via some other method. I would probably prefer the first method, since it can work without having to restart your AppService.
https://docs.microsoft.com/en-us/samples/azure-samples/app-service-msi-keyvault-dotnet/keyvault-msi-appservice-sample/
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
try
{
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync("https://keyvaultname.vault.azure.net/secrets/secret")
.ConfigureAwait(false);
ViewBag.Secret = $"Secret: {secret.Value}";
}
//...
}
来源:https://stackoverflow.com/questions/62496934/azure-function-app-use-latest-version-of-key-vault-secret-via-application-settin