Azure webapp for containers doesnt update the Keyvault secret values on app restart.

Hi Jeeva,
When you refer to Azure key vault secrets in app settings ( @microsoft.keyvault (...)), the platform receives those mysteries and injects them as environmental variables at the app startup time.

It caches the major vault secret for 24 hours by design. (Microsoft Docs: Key Vault Reference)

Returning the app does not always fill the mystery immediately. This is because the values are obtained by the app service infrastructure and cash, not from your container.

The "Bridge Secret Value" feature tries to refresh those mysteries manually, but it is not always immediate and can be inconsistent (as you have seen).

Since you are using the web app for containers, there is a more reliable and scalable way to reach the secrets:

Option 1: Use key vault SDK/API inside your container

Instead of depending on the environmental variables depending on platform caching, use dynamic mysteries on runtime using:

Azure sdks (eg, @azure/keyvault-seconds in node.js, or azure.security.keyvault.secrets in .NET) or REST API directly

In this way, your app always draws the latest value from the key vault when it is required, and you avoid completely delay.
https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-net?tabs=azure-cli

Option 2: Use Azure App configuration + key vault integration (optional)

If you want to centralize and manage configures and mysteries together, the Azure App Configuration allows you to refer to key vault secrets with a better fresh mechanism.

https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli#grant-your-app-access-to-a-key-vault
https://learn.microsoft.com/en-us/azure/azure-app-configuration/reload-key-vault-secrets-dotnet#update-code-to-reload-key-vault-secrets-and-certificates
if you have any further concerns or queries, please feel free to reach out to us.

Understood. But don't understand why we complicate. We deploy new image to the webapp every time a release is created. At least if we could refresh these reference values at deploying new container image would help and make this feature more reliable. Yes I know that we could have used the sdk but trying to avoid additional dev work. My thoughts were why not use Azure feature than writing your own logic...

Hi Jeeva,
You’re right to expect that deploying a new container image should ideally pull fresh environment values from Key Vault references. Eventually, when the app is starting afresh-and it is natural to assume that it will re-read the configuration, including key vault secrets. The main reason is that before your container starts, the main vault references are solved by the Azure App Service Infrastructure. And unfortunately, the azure caches those secret values, usually for 24 hours, even in restart or redistribution - until something clearly triggers a refresh at the platform level. Therefore, even if your container is new, the app service environment can still serve cache secret price in the environment variables. This is for causes of performance and availability by cashing design.

https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli#secret-refresh-interval
Just checking in to see if information in comment was helpful. If you have any further updates on this issue, please feel free to post back.

Hi Jeeva,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.