DEV Community

Krzysztof Kopieczek
Krzysztof Kopieczek

Posted on

Beware of caching in Azure Key Vault

Did you know, that secretes being read from Azure Key Vault may be out of date? This happened to me and caused a lot of confusion. The secret was changed in the Key Vault, but the application was still getting the old, unchanged value.

It turned out, that when Key Vault references are stored in the Web App or Azure Function configuration (as in the screenshot below), the values may be cached for even 24 hours!!

Screenshot of Azure Function Configuration

To be clear, there is an information about this caching in the documentation, but it's not as visible, as it should be. In my case, the value finally was refreshed in the cache after 16 hours.

Happily, there is a solution for this and your application don't have to be dependent on this unpredictable caching mechanism. In order to have secretes always up to date, Key Vault should be accessed via the SDK from the application code.

var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());

var secret = await client.GetSecretAsync("secretName");
Console.WriteLine($"Your secret is '{secret.Value.Value}'.");
Enter fullscreen mode Exit fullscreen mode

It's not as easy as Key Vault references, but there is no alternative if the application requires immediate reaction for changed secrets.

Azure Key Vault pricing model is based on per-request model, so still you'd like to cache secrets anyway: read about Key Vault proxy policy

Top comments (1)

masahigo profile image

Yes, I stumbled on this as well! I don't know what MS was thinking when they developed this feature into Azure App Service. Thanks for the solution