Categories: Azure

Azure Function App doesn’t retrieve most recent secret value from Azure Key Vault

Quite a long title for quite an annoying issue. Let me explain the set-up first: I have pipelines running in Azure Data Factory and I want to send e-mails with customized messages when something goes wrong (this means the standard alerting of ADF doesn’t cut it). ADF doesn’t have a built-in activity for sending e-mails (yes, I know, it’s 2024 and this is still lacking, but Fabric has it). First I used an Azure Logic App to do this, but there you need to log into Office 365 with an actual user, and I’m not really keen that my user account would be used in an automated process. So I switched to an Azure Function where I use PowerShell to send an e-mail using the Microsoft Graph AI SendMail endpoint. To authenticate, I’m using an app registration that has the Mail.Send permission assigned to it.

The secret of this app registration is stored in Azure Key Vault and the Azure Function app retrieves this as part of the application settings.

In the PowerShell function, this application setting is retrieved as an environment variable so it can authenticate with the Graph API using the app registation. So far so good, except that the secret of this app registration expires after 1 year (some time ago you could configure an expiration date for in the future, but it seems this isn’t possible anymore). The Azure Function started crashing with a 401 (Unauthorized) error.

Naively, I thought that adding a new version to the Azure Key Vault secret that stores the app registration secret would fix the issue. Alas, the same error was returned. I disabled the older version in Azure Key Vault. Still the same error. I restarted the Azure Function app. You guessed it: the same error. Apparently, the Function App caches the value of the application setting and very stubbornly it doesn’t reread it when restarted (even when stopped and then started). This is a known issue, but unlike what someone suggested, breaking the configuration and then fixing it again didn’t flush the cache.

The only reliable method to get the new Key Vault version is waiting 24 hours. After a certain time period, it seems the cache is invalidated and the new value is fetched. Another method that might work but requires some work is deleting the configuration and creating a new one – with a different name – but this means you’ll need to update the Azure Function itself as well. If you know of any other methods, let me know in the comments.

UPDATE 1: it’s an option to explicitly specify a version of the Key Vault secret in the app configuration. However, I want to avoid this as you would need to update the configuration each time the token expires. When you don’t specify a version, the app configuration should take the latest version, so in an ideal world where this caching bug doesn’t exist, not specifying a version is the preferred solution.

UPDATE 2: another option is suggested by Bartosz:

The Advanced Edit can be found here:

I haven’t tested it myself though. Maybe next year when the secret expires again 🙂


------------------------------------------------
Do you like this blog post? You can thank me by buying me a beer 🙂
Koen Verbeeck

Koen Verbeeck is a Microsoft Business Intelligence consultant at AE, helping clients to get insight in their data. Koen has a comprehensive knowledge of the SQL Server BI stack, with a particular love for Integration Services. He's also a speaker at various conferences.

Recent Posts

Free webinar – Tackling the Gaps and Islands Problem with T-SQL Window Functions

I'm hosting a free webinar at MSSQLTips.com at the 19th of December 2024, 6PM UTC.…

5 days ago

dataMinds Connect 2024 – Session Materials

The slides and scripts for my session "Tackling the Gaps & Islands Problem with T-SQL…

4 weeks ago

Connect to Power BI as a Guest User in another Tenant

Sometimes your Microsoft Entra ID account (formerly known as Azure Active Directory) is added as…

2 months ago

How to use a Script Activity in ADF as a Lookup

In Azure Data Factory (ADF, but also Synapse Pipelines and Fabric Pipelines), you have a…

4 months ago

Database Build Error – Incorrect syntax near DISTINCT

I wrote a piece of SQL that had some new T-SQL syntax in it: IS…

4 months ago

Speaking at dataMinds Connect 2024

I'm very excited to announce I've been selected as a speaker for dataMinds Connect 2024,…

5 months ago