Azure Function App 通过应用程序设置使用最新版本的 Key Vault Secret [英] Azure Function App use latest version of Key Vault Secret via Application Settings

问题描述

我有一个在 Consumption Plan 上运行的 Linux 函数应用，它使用应用程序设置中的 Key Vault Reference 来检索和使用存储在 Azure Key Vault 中的机密.

I have a Linux Function App running on Consumption Plan that is using a Key Vault Reference in the Application Settings to retrieve and use a secret stored in an Azure Key Vault.

到目前为止，这工作正常.

This works fine so far.

但是，我们必须每天更改该密钥(即在 Key Vault 中创建该密钥的新版本并设置该密钥的激活日期)，并希望函数应用程序自动检索和使用新版本一旦激活，无需手动将 Kev Vault 引用更改为新版本的密钥.

However, we have to change that secret every day (i.e. create a new version of that secret in the Key Vault and set an activation date for that secret) and would like to have the Function App automatically retrieve and use the new version as soon as its activated without having to manually change the Kev Vault reference to the new version of the secret.

目前是否可行?如何实现?

Is this currently possible and how can this be achieved?

推荐答案

目前无法做到.

https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references

目前需要版本.轮换密钥时，您需要更新应用程序配置中的版本.

Versions are currently required. When rotating secrets, you will need to update the version in your application configuration.

重新启动您的函数对您没有任何帮助，因为轮换密钥意味着您还创建了一个新版本的密钥.这可能也是目前不支持它的原因.当有新版本可用时，AppService 不会收到通知，并且您可能不希望 AppService 在您更新 KeyVault 中的机密时自动重新启动.

Restarting your function will not help you in any way, since rotating the secret means that you also create a new version of the secret. This is probably also why it is not supported at the moment. AppService does not get notified when a new version is available, and you probably don't want your AppService to restart automatically when you update a secret in KeyVault.

您要么需要在函数代码中手动获取最新的活动密钥，要么通过其他方法更新引用.我可能更喜欢第一种方法，因为它无需重新启动 AppService 即可工作.

You either need to fetch the latest active secret manually in your function code, or update the reference via some other method. I would probably prefer the first method, since it can work without having to restart your AppService.

https://docs.microsoft.com/en-us/samples/azure-samples/app-service-msi-keyvault-dotnet/keyvault-msi-appservice-sample/

    AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();

    try
    {
        var keyVaultClient = new KeyVaultClient(
            new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

        var secret = await keyVaultClient.GetSecretAsync("https://keyvaultname.vault.azure.net/secrets/secret")
            .ConfigureAwait(false);

        ViewBag.Secret = $"Secret: {secret.Value}";
        
    }
    //...
}

这篇关于Azure Function App 通过应用程序设置使用最新版本的 Key Vault Secret的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！