Categories: Azure

Azure Function App doesn’t retrieve most recent secret value from Azure Key Vault

Quite a long title for quite an annoying issue. Let me explain the set-up first: I have pipelines running in Azure Data Factory and I want to send e-mails with customized messages when something goes wrong (this means the standard alerting of ADF doesn’t cut it). ADF doesn’t have a built-in activity for sending e-mails (yes, I know, it’s 2024 and this is still lacking, but Fabric has it). First I used an Azure Logic App to do this, but there you need to log into Office 365 with an actual user, and I’m not really keen that my user account would be used in an automated process. So I switched to an Azure Function where I use PowerShell to send an e-mail using the Microsoft Graph AI SendMail endpoint. To authenticate, I’m using an app registration that has the Mail.Send permission assigned to it.

The secret of this app registration is stored in Azure Key Vault and the Azure Function app retrieves this as part of the application settings.

In the PowerShell function, this application setting is retrieved as an environment variable so it can authenticate with the Graph API using the app registation. So far so good, except that the secret of this app registration expires after 1 year (some time ago you could configure an expiration date for in the future, but it seems this isn’t possible anymore). The Azure Function started crashing with a 401 (Unauthorized) error.

Naively, I thought that adding a new version to the Azure Key Vault secret that stores the app registration secret would fix the issue. Alas, the same error was returned. I disabled the older version in Azure Key Vault. Still the same error. I restarted the Azure Function app. You guessed it: the same error. Apparently, the Function App caches the value of the application setting and very stubbornly it doesn’t reread it when restarted (even when stopped and then started). This is a known issue, but unlike what someone suggested, breaking the configuration and then fixing it again didn’t flush the cache.

The only reliable method to get the new Key Vault version is waiting 24 hours. After a certain time period, it seems the cache is invalidated and the new value is fetched. Another method that might work but requires some work is deleting the configuration and creating a new one – with a different name – but this means you’ll need to update the Azure Function itself as well. If you know of any other methods, let me know in the comments.

UPDATE 1: it’s an option to explicitly specify a version of the Key Vault secret in the app configuration. However, I want to avoid this as you would need to update the configuration each time the token expires. When you don’t specify a version, the app configuration should take the latest version, so in an ideal world where this caching bug doesn’t exist, not specifying a version is the preferred solution.

UPDATE 2: another option is suggested by Bartosz:

The Advanced Edit can be found here:

I haven’t tested it myself though. Maybe next year when the secret expires again 🙂


------------------------------------------------
Do you like this blog post? You can thank me by buying me a beer 🙂
Koen Verbeeck

Koen Verbeeck is a Microsoft Business Intelligence consultant at AE, helping clients to get insight in their data. Koen has a comprehensive knowledge of the SQL Server BI stack, with a particular love for Integration Services. He's also a speaker at various conferences.

Recent Posts

Book Review – Agile Data Warehouse Design

I recently read the book Agile Data Warehouse Design - Collaborative Dimensional Modeling, from Whiteboard…

4 days ago

Cloudbrew 2024 – Slides

You can find the slides for the session Building the €100 data warehouse with the…

1 week ago

Book Review – Microsoft Power BI Performance Best Practices

I was asked to do a review of the book Microsoft Power BI Performance Best…

1 month ago

Create a Numbers Table in Power Query

This is a quick blog post, mainly so I have the code available if I…

1 month ago

Microsoft finally adds Tenant Switcher for Fabric / Power BI

Praise whatever deity you believe in, because it's finally here, a tenant switcher for Microsoft…

1 month ago

Book Review – Humanizing Data Strategy by Tiankai Feng

This book was making its rounds on social media, and the concept seems interesting enough…

1 month ago